CVE-2025-59049
BaseFortify
Publication date: 2025-09-10
Last updated on: 2025-09-11
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mockoon | mockoon | 9.1.0 |
| mockoon | mockoon | 9.2.0 |
| mockoon | commons-server | * |
| mockoon | cli | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
| CWE-73 | The product allows user input to control or influence paths or file names that are used in filesystem operations. |
| CWE-24 | The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize "../" sequences that can resolve to a location that is outside of that directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-59049 is a high-severity vulnerability in Mockoon's static file serving feature prior to version 9.2.0. It arises because the server generates filenames using templating features based on user input without properly sanitizing the resulting file paths. This improper input validation allows an attacker to perform path traversal and local file inclusion (LFI) attacks, enabling them to access arbitrary files on the server filesystem, including sensitive files like /etc/passwd. The vulnerability can be exploited remotely without any privileges or user interaction. [1]
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of sensitive information stored on the server hosting the mock API. An attacker can remotely read arbitrary files on the server, potentially exposing confidential data, configuration files, or credentials. This poses a significant confidentiality risk, especially for cloud-hosted instances where sensitive data may be stored. The vulnerability does not affect data integrity or availability but can compromise the confidentiality of the system. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to access files outside the intended static file serving directory using crafted HTTP requests that include path traversal sequences. For example, sending a request to the mock API server with a URL containing encoded path traversal payloads such as '%2F..%2F..%2Fetc%2Fpasswd' can reveal if unauthorized files are accessible. A practical detection command using curl might be: curl -v http://<mockoon-server>:<port>/static/%2F..%2F..%2F..%2Fetc%2Fpasswd. If the server returns the contents of sensitive files like /etc/passwd, the vulnerability is present. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Mockoon to version 9.2.0 or later, where the vulnerability is fixed. The fix includes secure path resolution and validation via the new 'getSafeFilePath' method, which prevents path traversal by enforcing directory boundary checks. Additionally, ensure that the server is configured with the 'environmentDirectory' option to define a safe base directory for static file serving. Until the upgrade, restrict access to the mock API server to trusted networks and avoid exposing it publicly, especially in cloud environments. [1, 2]