CVE-2025-27098: Unwanted access to the entire file system vulnerability due to a missing check in `staticFiles` HTTP handler
(updated )
Missing check vulnerability in the static file handler allows any client to access the files in the server’s file system
References
- github.com/Urigo/graphql-mesh
- github.com/Urigo/graphql-mesh/commit/95d93e7c140c2995b37e9d822aa3fe4e24ed2e78
- github.com/Urigo/graphql-mesh/security/advisories/GHSA-j2wh-wrv3-4x4g
- github.com/advisories/GHSA-j2wh-wrv3-4x4g
- github.com/ardatan/graphql-mesh/security/advisories/GHSA-j2wh-wrv3-4x4g
- nvd.nist.gov/vuln/detail/CVE-2025-27098
Detect and mitigate CVE-2025-27098 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →