CVE-2025-59049
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-10

Last updated on: 2025-09-11

Assigner: GitHub, Inc.

Description
Mockoon provides way to design and run mock APIs. Prior to version 9.2.0, a mock API configuration for static file serving follows the same approach presented in the documentation page, where the server filename is generated via templating features from user input is vulnerable to Path Traversal and LFI, allowing an attacker to get any file in the mock server filesystem. The issue may be particularly relevant in cloud hosted server instances. Version 9.2.0 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-10
Last Modified
2025-09-11
Generated
2026-06-16
AI Q&A
2025-09-10
EPSS Evaluated
2026-06-14
NVD
CVE-2025-59049
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
mockoon mockoon 9.1.0
mockoon mockoon 9.2.0
mockoon commons-server *
mockoon cli *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-73 The product allows user input to control or influence paths or file names that are used in filesystem operations.
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
CWE-24 The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize "../" sequences that can resolve to a location that is outside of that directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-59049 is a high-severity vulnerability in Mockoon's static file serving feature prior to version 9.2.0. It arises because the server generates filenames using templating features based on user input without properly sanitizing the resulting file paths. This improper input validation allows an attacker to perform path traversal and local file inclusion (LFI) attacks, enabling them to access arbitrary files on the server filesystem, including sensitive files like /etc/passwd. The vulnerability can be exploited remotely without any privileges or user interaction. [1]

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive information stored on the server hosting the mock API. An attacker can remotely read arbitrary files on the server, potentially exposing confidential data, configuration files, or credentials. This poses a significant confidentiality risk, especially for cloud-hosted instances where sensitive data may be stored. The vulnerability does not affect data integrity or availability but can compromise the confidentiality of the system. [1]

Detection Guidance

This vulnerability can be detected by attempting to access files outside the intended static file serving directory using crafted HTTP requests that include path traversal sequences. For example, sending a request to the mock API server with a URL containing encoded path traversal payloads such as '%2F..%2F..%2Fetc%2Fpasswd' can reveal if unauthorized files are accessible. A practical detection command using curl might be: curl -v http://<mockoon-server>:<port>/static/%2F..%2F..%2F..%2Fetc%2Fpasswd. If the server returns the contents of sensitive files like /etc/passwd, the vulnerability is present. [1]

Mitigation Strategies

The immediate mitigation step is to upgrade Mockoon to version 9.2.0 or later, where the vulnerability is fixed. The fix includes secure path resolution and validation via the new 'getSafeFilePath' method, which prevents path traversal by enforcing directory boundary checks. Additionally, ensure that the server is configured with the 'environmentDirectory' option to define a safe base directory for static file serving. Until the upgrade, restrict access to the mock API server to trusted networks and avoid exposing it publicly, especially in cloud environments. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-59049. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart