Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2025-59049

Good to know:

icon
icon

Date: September 10, 2025

Mockoon provides way to design and run mock APIs. Prior to version 9.2.0, a mock API configuration for static file serving follows the same approach presented in the documentation page, where the server filename is generated via templating features from user input is vulnerable to Path Traversal and LFI, allowing an attacker to get any file in the mock server filesystem. The issue may be particularly relevant in cloud hosted server instances. Version 9.2.0 fixes the issue.

Severity Score

Related Resources (7)

https://github.com/mockoon/mockoon
https://github.com/mockoon/mockoon/commit/c7f6e23e87dc3b8cc44e5802af046200a797bd2e
https://github.com/mockoon/mockoon/blob/1ed31c4059d7f757f6cb2a43e10dc81b0d9c55a9/packages/commons-server/src/libs/server/server.ts#L1551
https://github.com/mockoon/mockoon/blob/1ed31c4059d7f757f6cb2a43e10dc81b0d9c55a9/packages/commons-server/src/libs/server/server.ts#L1400
https://github.com/mockoon/mockoon/security/advisories/GHSA-w7f9-wqc4-3wxr
https://nvd.nist.gov/vuln/detail/CVE-2025-59049
https://www.mend.io/vulnerability-database/CVE-2025-59049

Severity Score

Weakness Type (CWE)

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-22

External Control of File Name or Path

CWE-73

Path Traversal: '../filedir'

CWE-24

Top Fix

icon

Upgrade Version

Upgrade to version @mockoon/commons-server - 9.2.0;@mockoon/cli - 9.2.0;https://github.com/mockoon/mockoon.git - v9.2.0

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): HIGH
Integrity (I): NONE
Availability (A): NONE

Do you need more information?

Contact Us