CVE-2025-59049

Mockoon provides way to design and run mock APIs. Prior to version 9.2.0, a mock API configuration for static file serving follows the same approach presented in the documentation page, where the server filename is generated via templating features from user input is vulnerable to Path Traversal and LFI, allowing an attacker to get any file in the mock server filesystem. The issue may be particularly relevant in cloud hosted server instances. Version 9.2.0 fixes the issue.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/mockoon/mockoon/blob/1ed31c4059d7f757f6cb2a43e10dc81b0d9c55a9/packages/commons-server/src/libs/server/server.ts#L1400
https://github.com/mockoon/mockoon/blob/1ed31c4059d7f757f6cb2a43e10dc81b0d9c55a9/packages/commons-server/src/libs/server/server.ts#L1551
https://github.com/mockoon/mockoon/commit/c7f6e23e87dc3b8cc44e5802af046200a797bd2e
https://github.com/mockoon/mockoon/security/advisories/GHSA-w7f9-wqc4-3wxr

Configurations

No configuration.

History

10 Sep 2025, 19:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-09-10 19:15

Updated : 2025-09-11 17:14

NVD link : CVE-2025-59049

Mitre link : CVE-2025-59049

CVE.ORG link : CVE-2025-59049

JSON object : View

Products Affected

No product.

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-24

Path Traversal: '../filedir'

CWE-73

External Control of File Name or Path

7.5 /10