Vulnerability Database
296,733
Total vulnerabilities in the database
Unwanted access to the entire file system vulnerability due to a missing check in `staticFiles` HTTP handler
Summary
Missing check vulnerability in the static file handler allows any client to access the files in the server's file system
Details
When staticFiles is set in the serve settings in the configuration file, the following handler doesn't check if absolutePath is still under the directory provided as staticFiles;
if (staticFiles) {
router.get('/:relativePath+', async request => {
let { relativePath } = request.params;
if (!relativePath) {
relativePath = 'index.html';
}
const absolutePath = path.join(baseDir, staticFiles, relativePath);
if (absolutePath.includes(staticFiles) && (await pathExists(absolutePath))) {
const readStream = fs.createReadStream(absolutePath);
return new Response(readStream as any, {
status: 200,
});
}
return undefined;
});
Example scenario
To reproduce it, set staticFiles to the relative path of a directory in .meshrc.yml;
serve:
staticFiles: ./public
Then start the server with mesh dev, and browse to /..%2fpackage.json then you will see the content of package.json. You can even go deeper to see sensitive data; /..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd
Impact and solution
If staticFiles is set under serve in the configuration file. you have two options to fix vulnerability;
- Update
@graphql-mesh/clito a version higher than0.82.21, and if you use@graphql-mesh/http, update it to a version higher than0.3.18 - Remove
staticFilesoption from the configuration, and use other solutions to serve static files.
Credits
Thanks alanwillms@gmail.com for reporting this vulnerability with details
Deep Security Visibility Without the Complexity
SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.
- No setup fees
- 5-min deployment
- Cancel anytime