Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

github логотип

GHSA-j2wh-wrv3-4x4g

Опубликовано: 16 фев. 2023
Источник: github
Github: Прошло ревью
CVSS3: 5.8

Описание

Unwanted access to the entire file system vulnerability due to a missing check in staticFiles HTTP handler

Summary

Missing check vulnerability in the static file handler allows any client to access the files in the server's file system

Details

When staticFiles is set in the serve settings in the configuration file, the following handler doesn't check if absolutePath is still under the directory provided as staticFiles;

if (staticFiles) { router.get('/:relativePath+', async request => { let { relativePath } = request.params; if (!relativePath) { relativePath = 'index.html'; } const absolutePath = path.join(baseDir, staticFiles, relativePath); if (absolutePath.includes(staticFiles) && (await pathExists(absolutePath))) { const readStream = fs.createReadStream(absolutePath); return new Response(readStream as any, { status: 200, }); } return undefined; });

Example scenario

To reproduce it, set staticFiles to the relative path of a directory in .meshrc.yml;

serve: staticFiles: ./public

Then start the server with mesh dev, and browse to /..%2fpackage.json then you will see the content of package.json. You can even go deeper to see sensitive data; /..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd

Impact and solution

If staticFiles is set under serve in the configuration file. you have two options to fix vulnerability;

  • Update @graphql-mesh/cli to a version higher than 0.82.21, and if you use @graphql-mesh/http, update it to a version higher than 0.3.18
  • Remove staticFiles option from the configuration, and use other solutions to serve static files.

Credits

Thanks alanwillms@gmail.com for reporting this vulnerability with details

Ссылки

Пакеты

Наименование

@graphql-mesh/cli

npm
Затронутые версииВерсия исправления

>= 0.78.0, < 0.82.22

0.82.22

Наименование

@graphql-mesh/http

npm
Затронутые версииВерсия исправления

< 0.3.19

0.3.19

EPSS

Процентиль: 30%
0.00111
Низкий

5.8 Medium

CVSS3

CVE ID

CVE-2025-27098

Дефекты

CWE-22

Связанные уязвимости

nvd логотип

CVE-2025-27098

CVSS3: 5.8
nvd
12 месяцев назад

GraphQL Mesh is a GraphQL Federation framework and gateway for both GraphQL Federation and non-GraphQL Federation subgraphs, non-GraphQL services, such as REST and gRPC, and also databases such as MongoDB, MySQL, and PostgreSQL. Missing check vulnerability in the static file handler allows any client to access the files in the server's file system. When `staticFiles` is set in the `serve` settings in the configuration file, the following handler doesn't check if `absolutePath` is still under the directory provided as `staticFiles`. Users have two options to fix vulnerability; 1. Update `@graphql-mesh/cli` to a version higher than `0.82.21`, and if you use `@graphql-mesh/http`, update it to a version higher than `0.3.18` 2. Remove `staticFiles` option from the configuration, and use other solutions to serve static files.

EPSS

Процентиль: 30%
0.00111
Низкий

5.8 Medium

CVSS3

CVE ID

CVE-2025-27098

Дефекты

CWE-22