CVE-2025-27098 – GraphQL Mesh has a path traversal vulnerability... (How to Fix)

📋 TL;DR

GraphQL Mesh has a path traversal vulnerability in its static file handler that allows attackers to access arbitrary files on the server filesystem. This affects all GraphQL Mesh deployments using the staticFiles configuration option. Attackers can potentially read sensitive configuration files, source code, or other system files.

💻 Affected Systems

Products:

@graphql-mesh/cli
@graphql-mesh/http

Versions: @graphql-mesh/cli <= 0.82.21, @graphql-mesh/http <= 0.3.18

Operating Systems: All

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when staticFiles option is configured in serve settings.

📦 What is this software?

Graphql Mesh Cli by The Guild

View all CVEs affecting Graphql Mesh Cli →

Graphql Mesh Http by The Guild

View all CVEs affecting Graphql Mesh Http →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise through reading sensitive files like SSH keys, database credentials, or configuration secrets leading to further system access.

🟠

Likely Case

Information disclosure of application source code, configuration files, or other sensitive data stored on the server filesystem.

🟢

If Mitigated

Limited impact with proper network segmentation and minimal sensitive data on accessible filesystems.

🌐 Internet-Facing: HIGH - Directly exploitable by any client without authentication when exposed to internet.

🏢 Internal Only: MEDIUM - Still exploitable by internal attackers or compromised internal systems.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple path traversal attack requiring only HTTP requests to GraphQL Mesh endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: @graphql-mesh/cli > 0.82.21, @graphql-mesh/http > 0.3.18

Vendor Advisory: https://github.com/ardatan/graphql-mesh/security/advisories/GHSA-j2wh-wrv3-4x4g

Restart Required: Yes

Instructions:

1. Update @graphql-mesh/cli: npm update @graphql-mesh/cli
2. Update @graphql-mesh/http: npm update @graphql-mesh/http
3. Restart GraphQL Mesh service

🔧 Temporary Workarounds

Remove staticFiles configuration

all

Disable vulnerable static file handler by removing staticFiles option from configuration

Edit GraphQL Mesh config file and remove or comment out staticFiles setting

🧯 If You Can't Patch

Implement network-level restrictions to limit access to GraphQL Mesh endpoints
Use reverse proxy with strict path validation before requests reach GraphQL Mesh

🔍 How to Verify

Check if Vulnerable:

Check if staticFiles is configured in GraphQL Mesh config and version is vulnerable

Check Version:

npm list @graphql-mesh/cli @graphql-mesh/http

Verify Fix Applied:

Confirm package versions are above patched versions and test path traversal attempts

📡 Detection & Monitoring

Log Indicators:

Unusual file path patterns in GraphQL Mesh access logs
Requests for known sensitive files like /etc/passwd, .env, config files

Network Indicators:

HTTP requests with path traversal sequences (../) to GraphQL Mesh endpoints

SIEM Query:

source="graphql-mesh" AND (url="*../*" OR url="*/etc/*" OR url="*/.env*")

📊 Metadata

CVE ID: CVE-2025-27098

CVSS v3 Score: 5.8 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L

CWE: CWE-22

EPSS Score: 0.11% exploit probability (29.7th percentile)

Published: February 20, 2025

Last Updated: February 27, 2025

🔗 References

https://github.com/ardatan/graphql-mesh/security/advisories/GHSA-j2wh-wrv3-4x4g Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-27098, you might also want to check these: