CVE-2025-27098
Published: 20 February 2025
Summary
CVE-2025-27098 is a medium-severity Path Traversal (CWE-22) vulnerability in The-Guild Graphql Mesh Cli. Its CVSS base score is 5.8 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 32.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires identification, reporting, and correction of the path traversal flaw in GraphQL Mesh's static file handler through timely patching to versions 0.82.22+ or 0.3.19+.
Mandates validation of file path inputs at system entry points to ensure absolutePath remains within the designated staticFiles directory, directly preventing path traversal.
Enforces approved access control policies to restrict client access to only authorized files within the staticFiles directory, blocking unauthorized file system traversal.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in public-facing GraphQL Mesh static file handler enables exploitation of public-facing applications for initial access (T1190) and direct unauthorized access to arbitrary local system files (T1005).
NVD Description
GraphQL Mesh is a GraphQL Federation framework and gateway for both GraphQL Federation and non-GraphQL Federation subgraphs, non-GraphQL services, such as REST and gRPC, and also databases such as MongoDB, MySQL, and PostgreSQL. Missing check vulnerability in the static file…
more
handler allows any client to access the files in the server's file system. When `staticFiles` is set in the `serve` settings in the configuration file, the following handler doesn't check if `absolutePath` is still under the directory provided as `staticFiles`. Users have two options to fix vulnerability; 1. Update `@graphql-mesh/cli` to a version higher than `0.82.21`, and if you use `@graphql-mesh/http`, update it to a version higher than `0.3.18` 2. Remove `staticFiles` option from the configuration, and use other solutions to serve static files.
Deeper analysisAI
CVE-2025-27098 is a path traversal vulnerability (CWE-22) in GraphQL Mesh, an open-source GraphQL Federation framework and gateway that integrates GraphQL and non-GraphQL services like REST, gRPC, and databases such as MongoDB, MySQL, and PostgreSQL. The issue resides in the static file handler when the `staticFiles` option is enabled in the `serve` configuration settings. This handler fails to verify whether an `absolutePath` remains within the designated static files directory, enabling unauthorized access to arbitrary files on the server's file system.
Any unauthenticated client (PR:N) with network access (AV:N) can exploit this vulnerability, though it requires high attack complexity (AC:H) and user interaction (UI:R), such as tricking a user into requesting a malicious path. Successful exploitation allows limited access to sensitive files (C:L), minor modifications (I:L), and low disruption (A:L), with a scope change (S:C) that may affect dependent components. The CVSS v3.1 base score is 5.8 (Medium severity).
The GitHub security advisory (GHSA-j2wh-wrv3-4x4g) recommends two mitigations: update `@graphql-mesh/cli` to version 0.82.22 or higher and `@graphql-mesh/http` to 0.3.19 or higher, or remove the `staticFiles` option from the configuration and use alternative methods to serve static assets.
Details
- CWE(s)