GMS-2023-392: Unwanted access to the entire file system vulnerability due to a missing check in `staticFiles` HTTP handler

February 16, 2023

Missing check vulnerability in the static file handler allows any client to access the files in the server’s file system. When staticFiles is set in the serve settings in the configuration file, the following handler doesn’t check if absolutePath is still under the directory provided as staticFiles;

References

github.com/Urigo/graphql-mesh/commit/95d93e7c140c2995b37e9d822aa3fe4e24ed2e78
github.com/Urigo/graphql-mesh/security/advisories/GHSA-j2wh-wrv3-4x4g
github.com/advisories/GHSA-j2wh-wrv3-4x4g

Detect and mitigate GMS-2023-392 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →