Cyber Resilience

CVE-2025-27098

MediumPublic PoC

Published: 20 February 2025

Published
20 February 2025
Modified
27 February 2025
KEV Added
Patch
CVSS Score v3.1 5.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L
EPSS Score 0.0013 32.6th percentile
Risk Priority 12 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-27098 is a medium-severity Path Traversal (CWE-22) vulnerability in The-Guild Graphql Mesh Cli. Its CVSS base score is 5.8 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 32.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-27098 is a path traversal vulnerability (CWE-22) in GraphQL Mesh, an open-source GraphQL Federation framework and gateway that integrates GraphQL and non-GraphQL services like REST, gRPC, and databases such as MongoDB, MySQL, and PostgreSQL. The issue resides in the static file handler when the `staticFiles` option is enabled in the `serve` configuration settings. This handler fails to verify whether an `absolutePath` remains within the designated static files directory, enabling unauthorized access to arbitrary files on the server's file system.

Any unauthenticated client (PR:N) with network access (AV:N) can exploit this vulnerability, though it requires high attack complexity (AC:H) and user interaction (UI:R), such as tricking a user into requesting a malicious path. Successful exploitation allows limited access to sensitive files (C:L), minor modifications (I:L), and low disruption (A:L), with a scope change (S:C) that may affect dependent components. The CVSS v3.1 base score is 5.8 (Medium severity).

The GitHub security advisory (GHSA-j2wh-wrv3-4x4g) recommends two mitigations: update `@graphql-mesh/cli` to version 0.82.22 or higher and `@graphql-mesh/http` to 0.3.19 or higher, or remove the `staticFiles` option from the configuration and use alternative methods to serve static assets.

EU & UK References

Vulnerability details

GraphQL Mesh is a GraphQL Federation framework and gateway for both GraphQL Federation and non-GraphQL Federation subgraphs, non-GraphQL services, such as REST and gRPC, and also databases such as MongoDB, MySQL, and PostgreSQL. Missing check vulnerability in the static file…

more

handler allows any client to access the files in the server's file system. When `staticFiles` is set in the `serve` settings in the configuration file, the following handler doesn't check if `absolutePath` is still under the directory provided as `staticFiles`. Users have two options to fix vulnerability; 1. Update `@graphql-mesh/cli` to a version higher than `0.82.21`, and if you use `@graphql-mesh/http`, update it to a version higher than `0.3.18` 2. Remove `staticFiles` option from the configuration, and use other solutions to serve static files.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Why these techniques?

Path traversal in public-facing GraphQL Mesh static file handler enables exploitation of public-facing applications for initial access (T1190) and direct unauthorized access to arbitrary local system files (T1005).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-12824Shared CWE-22
CVE-2026-25965Shared CWE-22
CVE-2025-30567Shared CWE-22
CVE-2024-55457Shared CWE-22
CVE-2026-35485Shared CWE-22
CVE-2024-54909Shared CWE-22
CVE-2026-3405Shared CWE-22
CVE-2025-41368Shared CWE-22
CVE-2026-23850Shared CWE-22
CVE-2024-13471Shared CWE-22

Affected Assets

the-guild
graphql mesh cli
0.78.0 — 0.82.22
the-guild
graphql mesh http
≤ 0.3.19

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires identification, reporting, and correction of the path traversal flaw in GraphQL Mesh's static file handler through timely patching to versions 0.82.22+ or 0.3.19+.

prevent

Mandates validation of file path inputs at system entry points to ensure absolutePath remains within the designated staticFiles directory, directly preventing path traversal.

prevent

Enforces approved access control policies to restrict client access to only authorized files within the staticFiles directory, blocking unauthorized file system traversal.

References