CVE CyberSecurity Database News

CVE-2025-27098 - Static File Path Traversal Vulnerability in GraphQL Mesh – Details, Exploit, and How to Fix

Poster -

GraphQL Mesh is a powerful gateway and federation framework that gives you the flexibility to connect not just GraphQL subgraphs, but also REST APIs, gRPC services, and databases like MongoDB, MySQL, and PostgreSQL. However, in June 2024, a critical security vulnerability was identified and registered as CVE-2025-27098. This bug exposes servers to potential file theft threats due to a weak check in Mesh’s static file handler.

In this article, I will walk you through what happened, why it matters, how to test for the vulnerability, and—most importantly—how to immediately secure your Mesh gateway.

What Is CVE-2025-27098?

When you configure Mesh to serve static files with the staticFiles option in your configuration (e.g. YAML or JavaScript config), Mesh will expose files from a directory on your server. The vulnerability lies in the way Mesh handles file path resolution when serving these files. It fails to properly check if a file request actually stays within the static files directory. This makes it possible—using tricks like path traversal (../)—for a remote client to fetch any file from your server’s filesystem, not just those intended for public access.

In simple words: With this vulnerability, a hacker can download files from your backend—passwords, configs, even source code—if they know the URL of your Mesh server and it’s using vulnerable packages.

Let’s imagine your Mesh config looks like this

serve:
  staticFiles: ./public

Suppose your Mesh’s HTTP endpoint is /static. Normally, /static/foo.txt should return a file inside your ./public folder.

But because of the missing validation, a request like this is possible

GET /static/../../../../../etc/passwd HTTP/1.1
Host: mesh.example.com

Or as an absolute path for Node.js servers

GET /static/C:/Windows/System32/drivers/etc/hosts

If the Mesh process has read access, it will return the content—even if that file is outside ./public!

Here’s a simplified code snippet of what’s going on in the vulnerable handler

// Pseudocode - vulnerable example
app.get('/static/*', (req, res) => {
  const fs = require('fs');
  const path = require('path');

  const staticDir = path.resolve(__dirname, 'public');
  const requestedFile = path.resolve(staticDir, req.params[]);

  // WRONG: Not checking that requestedFile is actually inside staticDir!
  if (fs.existsSync(requestedFile)) {
    res.sendFile(requestedFile);
  } else {
    res.status(404).end();
  }
});

Attackers can manipulate the URL to climb outside public.

Do you use the staticFiles option in your Mesh config?

- Are you running a version lower than @graphql-mesh/cli@.82.22 or @graphql-mesh/http@.3.19?

Can you fetch files outside your intended static directory over HTTP?

Try fetching /static/../../package.json (or another file you know exists *above* your static directory) from your browser or with curl:

curl http://localhost:400/static/../../package.json

If the file contents are returned, your Mesh is vulnerable.

Update to versions where the static file handler is patched

npm install @graphql-mesh/cli@^.82.22 @graphql-mesh/http@^.3.19

Why?
The updated versions specifically check that the resolved file path is still within the staticFiles directory. If a request tries to escape, it’s denied.

Reference

- GitHub Mesh Changelog
- @graphql-mesh/http Changelog

2. Remove Mesh Static File Serving Completely

Delete the staticFiles option from your config and use another server (like Nginx, Apache, or Express middleware) to serve static files. These solutions are older, more mature, and often have better security defaults than freshly coded plugins.

Example: Using Express for Static Files

const express = require('express');
const app = express();
app.use('/static', express.static(__dirname + '/public'));

Summary Table

| Affected Package | Secure Version | CVE Reference |
|------------------------|---------------|--------------------------|
| @graphql-mesh/cli | ≥ .82.22 | CVE-2025-27098 |
| @graphql-mesh/http | ≥ .3.19 | CVE-2025-27098 |

- GraphQL Mesh on npm (@graphql-mesh/cli)
- GraphQL Mesh on GitHub
- CVE-2025-27098 entry on Vuln DB *(pending public release)*
- Mesh Security Docs
- Path Traversal Explained (OWASP)

Final Thoughts

This is a textbook example of how small validation mistakes can lead to major security incidents. If you use GraphQL Mesh as a server or gateway, don’t delay: update your packages or reconfigure your setup immediately.

Found this post helpful? Share it with your team or leave feedback below!
Stay safe, and always validate your paths.


*Written for the community, based on public advisories and first-hand analysis. Feel free to cite, but please link back to the original sources above.*

Timeline

Published on: 02/20/2025 21:15:26 UTC
Last modified on: 02/27/2025 20:27:05 UTC