Ardatan

**Name of the Vulnerable Software and Affected Versions** @graphql-mesh/cli versions prior to 0.82.21 @graphql-mesh/http versions prior to 0.3.18 **Description** A missing check vulnerability in the static file handler allows any client to access files in the server's file system. When `staticFiles` is set in the `serve` settings in the configuration file, the handler doesn't check if `absolutePath` is still under the directory provided as `staticFiles`. This issue affects GraphQL Mesh, a framework and gateway for GraphQL Federation and non-GraphQL Federation subgraphs, non-GraphQL services, and databases. **Recommendations** 1. Update `@graphql-mesh/cli` to a version higher than 0.82.21. 2. If using `@graphql-mesh/http`, update it to a version higher than 0.3.18. 3. Remove the `staticFiles` option from the configuration and use other solutions to serve static files.