CVE-2025-27098
Published: 20 February 2025
Description
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Security Summary
CVE-2025-27098 is a path traversal vulnerability (CWE-22) in GraphQL Mesh, an open-source GraphQL Federation framework and gateway that integrates GraphQL and non-GraphQL services like REST, gRPC, and databases such as MongoDB, MySQL, and PostgreSQL. The issue resides in the static file handler when the `staticFiles` option is enabled in the `serve` configuration settings. This handler fails to verify whether an `absolutePath` remains within the designated static files directory, enabling unauthorized access to arbitrary files on the server's file system.
Any unauthenticated client (PR:N) with network access (AV:N) can exploit this vulnerability, though it requires high attack complexity (AC:H) and user interaction (UI:R), such as tricking a user into requesting a malicious path. Successful exploitation allows limited access to sensitive files (C:L), minor modifications (I:L), and low disruption (A:L), with a scope change (S:C) that may affect dependent components. The CVSS v3.1 base score is 5.8 (Medium severity).
The GitHub security advisory (GHSA-j2wh-wrv3-4x4g) recommends two mitigations: update `@graphql-mesh/cli` to version 0.82.22 or higher and `@graphql-mesh/http` to 0.3.19 or higher, or remove the `staticFiles` option from the configuration and use alternative methods to serve static assets.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Path traversal in public-facing GraphQL Mesh static file handler enables exploitation of public-facing applications for initial access (T1190) and direct unauthorized access to arbitrary local system files (T1005).