GHSA-J2WH-WRV3-4X4G

Vulnerability from github – Published: 2023-02-16 18:41 – Updated: 2025-02-20 22:51
VLAI?
Summary
Unwanted access to the entire file system vulnerability due to a missing check in `staticFiles` HTTP handler
Details

Summary

Missing check vulnerability in the static file handler allows any client to access the files in the server's file system

Details

When staticFiles is set in the serve settings in the configuration file, the following handler doesn't check if absolutePath is still under the directory provided as staticFiles;

  if (staticFiles) {
    router.get('/:relativePath+', async request => {
      let { relativePath } = request.params;
      if (!relativePath) {
        relativePath = 'index.html';
      }
      const absolutePath = path.join(baseDir, staticFiles, relativePath);
      if (absolutePath.includes(staticFiles) && (await pathExists(absolutePath))) {
        const readStream = fs.createReadStream(absolutePath);
        return new Response(readStream as any, {
          status: 200,
        });
      }
      return undefined;
    });
 ```

### Example scenario
To reproduce it, set `staticFiles` to the relative path of a directory in `.meshrc.yml`;

```yml
serve:
   staticFiles: ./public

Then start the server with mesh dev, and browse to /..%2fpackage.json then you will see the content of package.json. You can even go deeper to see sensitive data; /..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd

Impact and solution

If staticFiles is set under serve in the configuration file. you have two options to fix vulnerability;

  • Update @graphql-mesh/cli to a version higher than 0.82.21, and if you use @graphql-mesh/http, update it to a version higher than 0.3.18
  • Remove staticFiles option from the configuration, and use other solutions to serve static files.

Credits

Thanks alanwillms@gmail.com for reporting this vulnerability with details

Severity ?
5.8 (Medium)
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@graphql-mesh/cli"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.78.0"
            },
            {
              "fixed": "0.82.22"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@graphql-mesh/http"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.3.19"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-27098"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-02-16T18:41:07Z",
    "nvd_published_at": "2025-02-20T21:15:26Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nMissing check vulnerability in the static file handler allows any client to access the files in the server\u0027s file system\n\n### Details\nWhen `staticFiles` is set in the `serve` settings in the configuration file, the following handler doesn\u0027t check if `absolutePath` is still under the directory provided as `staticFiles`;\n\n```ts\n  if (staticFiles) {\n    router.get(\u0027/:relativePath+\u0027, async request =\u003e {\n      let { relativePath } = request.params;\n      if (!relativePath) {\n        relativePath = \u0027index.html\u0027;\n      }\n      const absolutePath = path.join(baseDir, staticFiles, relativePath);\n      if (absolutePath.includes(staticFiles) \u0026\u0026 (await pathExists(absolutePath))) {\n        const readStream = fs.createReadStream(absolutePath);\n        return new Response(readStream as any, {\n          status: 200,\n        });\n      }\n      return undefined;\n    });\n ```\n\n### Example scenario\nTo reproduce it, set `staticFiles` to the relative path of a directory in `.meshrc.yml`;\n\n```yml\nserve:\n   staticFiles: ./public\n```\n\nThen start the server with `mesh dev`, and browse to `/..%2fpackage.json` then you will see the content of `package.json`. You can even go deeper to see sensitive data; `/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd`\n\n### Impact and solution\nIf `staticFiles` is set under `serve` in the configuration file. you have two options to fix vulnerability;\n\n- Update `@graphql-mesh/cli` to a version higher than `0.82.21`, and if you use `@graphql-mesh/http`, update it to a version higher than `0.3.18`\n- Remove `staticFiles` option from the configuration, and use other solutions to serve static files.\n\n### Credits\nThanks [alanwillms@gmail.com](mailto:alanwillms@gmail.com) for reporting this vulnerability with details",
  "id": "GHSA-j2wh-wrv3-4x4g",
  "modified": "2025-02-20T22:51:27Z",
  "published": "2023-02-16T18:41:07Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Urigo/graphql-mesh/security/advisories/GHSA-j2wh-wrv3-4x4g"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ardatan/graphql-mesh/security/advisories/GHSA-j2wh-wrv3-4x4g"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27098"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Urigo/graphql-mesh/commit/95d93e7c140c2995b37e9d822aa3fe4e24ed2e78"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Urigo/graphql-mesh"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Unwanted access to the entire file system vulnerability due to a missing check in `staticFiles` HTTP handler"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.