CVE-2026-59149
Received Received - Intake

Path Traversal Vulnerability in Mockoon Prior to 9.7.0

Vulnerability report for CVE-2026-59149, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-09

Last updated on: 2026-07-09

Assigner: GitHub, Inc.

Description

Mockoon provides way to design and run mock APIs. Prior to 9.7.0, a FILE response whose filePath embeds request data is confined by getSafeFilePath in packages/commons-server/src/libs/server/server.ts with resolvedPath.startsWith(staticBaseDir). That prefix test has no path-separator boundary, so a ../-escaped path whose absolute form string-prefixes the base directory passes, allowing an unauthenticated client to read files from sibling paths outside the served directory through HTTP sendFile, WebSocket, or callbacks. This issue is fixed in version 9.7.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-09
Last Modified
2026-07-09
Generated
2026-07-10
AI Q&A
2026-07-09
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
mockoon mockoon 9.7.0
mockoon mockoon to 9.7.0 (exc)
mockoon commons-server to 9.7.0 (exc)
mockoon cli to 9.7.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
CWE-23 The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability allows unauthenticated attackers to read files outside the intended served directory, potentially exposing sensitive or confidential data.

Such unauthorized data access can lead to violations of data protection regulations and standards like GDPR and HIPAA, which require strict controls on access to personal and sensitive information.

Because the vulnerability impacts confidentiality by enabling access to files that should be restricted, it poses a risk to compliance with these regulations.

The fix in version 9.7.0 mitigates this risk by properly restricting file path access within the allowed base directory.

Mitigation Strategies

The primary mitigation step is to upgrade Mockoon to version 9.7.0 or later, where the vulnerability is fixed by replacing the insecure path validation with a robust containment check.

If upgrading immediately is not possible, restrict access to the Mockoon service to trusted users or networks to reduce the risk of exploitation.

Review and sanitize any user input used in file path templates to prevent injection of path traversal sequences.

Consider implementing additional file system access controls or sandboxing to limit the impact of potential traversal attempts.

Executive Summary

This vulnerability is a path traversal issue in Mockoon versions prior to 9.7.0. It occurs because the application uses a flawed method to validate file paths when serving FILE responses that embed request data. Specifically, it checks if the resolved file path starts with the base directory path using a simple string prefix check, which does not consider path-separator boundaries. This allows an attacker to craft paths with '../' sequences that escape the intended directory and access files in sibling directories outside the served directory.

The vulnerability allows unauthenticated clients to read arbitrary files outside the allowed directory via HTTP sendFile, WebSocket, or callbacks. The issue was fixed in version 9.7.0 by replacing the prefix check with a more robust path containment validation that properly restricts file access within the base directory.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive files located outside the intended served directory. An attacker can exploit it to read configuration files, environment variables, or other sensitive data stored in sibling directories, potentially exposing secrets or private information.

Since the vulnerability allows unauthenticated access, it increases the risk of data leakage without requiring any credentials. The CVSS v3.1 score of 6.5 reflects a medium severity with high confidentiality impact but no impact on integrity or availability.

Detection Guidance

This vulnerability involves path traversal through crafted file paths in Mockoon versions prior to 9.7.0. Detection can focus on monitoring HTTP requests that attempt to access files outside the intended served directory by using path traversal patterns such as '../'.

You can detect potential exploitation attempts by inspecting web server logs or network traffic for requests containing suspicious file path parameters embedding '../' sequences or other traversal patterns.

  • Use tools like grep or similar to search logs for traversal patterns, for example: grep -r "\.\./" /path/to/mockoon/logs
  • Monitor HTTP requests with curl or tcpdump to capture suspicious requests, e.g., tcpdump -A -s 0 'tcp port 3000' | grep '../'
  • If you have access to the Mockoon server, review configuration or code for usage of templated file paths that embed request data, which may be vulnerable.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-59149. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart