CVE-2025-27098: 
JavaScript vulnerability analysis and mitigation

GraphQL Mesh is a GraphQL Federation framework and gateway for both GraphQL Federation and non-GraphQL Federation subgraphs, non-GraphQL services, such as REST and gRPC, and also databases such as MongoDB, MySQL, and PostgreSQL. A missing check vulnerability was discovered in the static file handler that allows any client to access files in the server's file system. The vulnerability was disclosed on February 16, 2023, affecting versions >0.78.0 & <0.82.22 of @graphql-mesh/cli and versions <0.3.19 of @graphql-mesh/http (GitHub Advisory).

The vulnerability occurs when staticFiles is set in the serve settings in the configuration file. The handler doesn't verify if the absolutePath is still under the directory provided as staticFiles. This allows path traversal attacks where attackers can access files outside the intended directory. For example, by setting staticFiles to './public' in .meshrc.yml and accessing paths like '/..%2fpackage.json', attackers can view the contents of files like package.json or even sensitive system files like /etc/passwd (GitHub Advisory).

The vulnerability allows unauthorized access to files outside the intended static files directory, potentially exposing sensitive system files and configuration data to attackers. This could lead to information disclosure and compromise of system security (GitHub Advisory).

Users have two options to mitigate this vulnerability: 1) Update @graphql-mesh/cli to a version higher than 0.82.21, and if using @graphql-mesh/http, update it to a version higher than 0.3.18, or 2) Remove the staticFiles option from the configuration and use alternative solutions to serve static files (GitHub Advisory).