What is the CVSS score of CVE-2025-27098?

CVE-2025-27098 has a CVSS 3.1 base score of 5.8 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L. EPSS exploitation probability: 0.1%.

Which versions of PostgreSQL are affected by CVE-2025-27098?

Organizations using GraphQL Mesh should be aware of moderate risk from CVE-2025-27098, a path traversal vulnerability rated CVSS 5.8. This could allow unauthorized file access.. A patch is available.

Is there a public PoC exploit available for CVE-2025-27098?

Yes, a public proof-of-concept exploit is available for CVE-2025-27098. Prioritise patching immediately. EPSS: 0.1%.

How to fix or mitigate CVE-2025-27098?

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Review file handling controls.

PostgreSQL CVE-2025-27098

MEDIUM

Path Traversal (CWE-22)

2025-02-20 security-advisories@github.com

PostgreSQL Path Traversal Graphql Mesh Cli Graphql Mesh Http

5.8

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

5.8 MEDIUM

AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

Low

Lifecycle Timeline

Patch released

Mar 31, 2026 - 21:13 nvd

Patch available

Analysis Generated

Mar 28, 2026 - 18:27 vuln.today

PoC Detected

Feb 27, 2025 - 20:27 vuln.today

Public exploit code

CVE Published

Feb 20, 2025 - 21:15 nvd

MEDIUM 5.8

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

1 npm packages depend on @graphql-mesh/cli (1 direct, 0 indirect)
2 npm packages depend on @graphql-mesh/http (1 direct, 1 indirect)

Ecosystem-wide dependent count for version 0.78.0 and other introduced versions.

DescriptionGitHub Advisory

GraphQL Mesh is a GraphQL Federation framework and gateway for both GraphQL Federation and non-GraphQL Federation subgraphs, non-GraphQL services, such as REST and gRPC, and also databases such as MongoDB, MySQL, and PostgreSQL. Missing check vulnerability in the static file handler allows any client to access the files in the server's file system. When staticFiles is set in the serve settings in the configuration file, the following handler doesn't check if absolutePath is still under the directory provided as staticFiles. Users have two options to fix vulnerability; 1. Update @graphql-mesh/cli to a version higher than 0.82.21, and if you use @graphql-mesh/http, update it to a version higher than 0.3.18 2. Remove staticFiles option from the configuration, and use other solutions to serve static files.

AnalysisAI

GraphQL Mesh is a GraphQL Federation framework and gateway for both GraphQL Federation and non-GraphQL Federation subgraphs, non-GraphQL services, such as REST and gRPC, and also databases such as. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Technical ContextAI

This vulnerability is classified as Path Traversal (CWE-22), which allows attackers to access files and directories outside the intended path. GraphQL Mesh is a GraphQL Federation framework and gateway for both GraphQL Federation and non-GraphQL Federation subgraphs, non-GraphQL services, such as REST and gRPC, and also databases such as MongoDB, MySQL, and PostgreSQL. Missing check vulnerability in the static file handler allows any client to access the files in the server's file system. When staticFiles is set in the serve settings in the configuration file, the following handler doesn't check if absolutePath is still under the directory provided as staticFiles. Users have two options to fix vulnerability; 1. Update @graphql-mesh/cli to a version higher than 0.82.21, and if you use @graphql-mesh/http, update it to a version higher than 0.3.18 2. Remove staticFiles option from the configuration, and use other solutions to serve static files. Affected products include: The-Guild Graphql Mesh Cli, The-Guild Graphql Mesh Http.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Validate and canonicalize file paths. Use chroot or sandboxing. Reject input containing path separators or '../' sequences.