CVE-2025-59049
published 2025-09-10CVE-2025-59049: Mockoon provides way to design and run mock APIs. Prior to version 9.2.0, a mock API configuration for static file serving follows the same approach presented…
PriorityP260high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
1.66%
73.7th percentile
Mockoon provides way to design and run mock APIs. Prior to version 9.2.0, a mock API configuration for static file serving follows the same approach presented in the documentation page, where the server filename is generated via templating features from user input is vulnerable to Path Traversal and LFI, allowing an attacker to get any file in the mock server filesystem.
The issue may be particularly relevant in cloud hosted server instances. Version 9.2.0 fixes the issue.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mockoon | cli | >= 0 < 9.2.0 | 9.2.0 |
| mockoon | commons-server | >= 0 < 9.2.0 | 9.2.0 |
| mockoon | mockoon | < 9.2.0 | 9.2.0 |
Detection & IOCsextracted from sources · hover to see the quote
- →Look for URL-encoded path traversal sequences (..%2f) in HTTP GET requests targeting static file serving endpoints on Mockoon instances (default static dir: 'static'). ↗
- →Successful exploitation returns a response body matching 'root:.*:0:0:' (Unix /etc/passwd content) with Content-Type: application/json — alert on this combination from a Mockoon server. ↗
- →The vulnerability is exploitable with a single unauthenticated HTTP GET request (no prior auth required); monitor for path traversal patterns in requests to any Mockoon static-serving route. ↗
- →The attack vector is network-accessible with no privileges or user interaction required (CVSS AV:N/AC:L/PR:N/UI:N); prioritize detection on cloud-hosted Mockoon instances. ↗
- ·The static directory name used in the traversal path is configurable in Mockoon; the Nuclei template defaults to 'static' but real deployments may use a different route prefix — adjust detection patterns accordingly. ↗
- ·The vulnerability only affects Mockoon versions prior to 9.2.0; instances already upgraded are not susceptible. ↗
- ·Exploitation requires that the Mockoon instance is configured with a static file serving route using unsafe templating of user-supplied input — not all deployments will have this configuration active. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Mockoon has a Path Traversal and LFI in the static file serving endpoint
ghsa·2025-03-11
CVE-2025-59049 [HIGH] CWE-22 Mockoon has a Path Traversal and LFI in the static file serving endpoint
Mockoon has a Path Traversal and LFI in the static file serving endpoint
### Summary
A mock API configuration for static file serving following the same approach presented in the [documentation page](https://mockoon.com/tutorials/create-endpoint-serving-static-file/), where the server filename is generated via templating features from user input is vulnerable to Path Traversal and LFI, allowing an attacker to get any file in the mock server filesystem.
The issue may be particularly relevant in cloud hosted server instances
### Details
In `sendFileWithCallback`([code](https://github.com/mockoon/mockoon/blob/1ed31c4059d7f757f6cb2a43e10dc81b0d9c55a9/packages/commons-server/src/libs/server/server.ts#L1400)) and `sendFile`([code](https://github.com/mockoon/mockoon/blob/1ed31c4059d7f757f6cb2a4
OSV
Mockoon has a Path Traversal and LFI in the static file serving endpoint
osv·2025-03-11
CVE-2025-59049 [HIGH] Mockoon has a Path Traversal and LFI in the static file serving endpoint
Mockoon has a Path Traversal and LFI in the static file serving endpoint
### Summary
A mock API configuration for static file serving following the same approach presented in the [documentation page](https://mockoon.com/tutorials/create-endpoint-serving-static-file/), where the server filename is generated via templating features from user input is vulnerable to Path Traversal and LFI, allowing an attacker to get any file in the mock server filesystem.
The issue may be particularly relevant in cloud hosted server instances
### Details
In `sendFileWithCallback`([code](https://github.com/mockoon/mockoon/blob/1ed31c4059d7f757f6cb2a43e10dc81b0d9c55a9/packages/commons-server/src/libs/server/server.ts#L1400)) and `sendFile`([code](https://github.com/mockoon/mockoon/blob/1ed31c4059d7f757f6cb2a4
No detection rules found.
Nuclei
Mockoon < 9.2.0 - Path Traversal
nuclei·CVSS 7.5
CVE-2025-59049 [HIGH] Mockoon < 9.2.0 - Path Traversal
Mockoon < 9.2.0 - Path Traversal
Mockoon before 9.2.0 contains a path traversal and local file inclusion caused by unsafe templating of server filenames from user input, letting attackers read arbitrary files on the mock server filesystem, exploit requires crafted request.
Template:
id: CVE-2025-59049
info:
name: Mockoon < 9.2.0 - Path Traversal
author: iamnoooob,rootxharsh,pdresearch
severity: high
description: |
Mockoon before 9.2.0 contains a path traversal and local file inclusion caused by unsafe templating of server filenames from user input, letting attackers read arbitrary files on the mock server filesystem, exploit requires crafted request.
impact: |
Attackers can read arbitrary files from the mock server filesystem through path traversal in static file serving, potentially e
No writeups or analysis indexed.
https://github.com/mockoon/mockoon/blob/1ed31c4059d7f757f6cb2a43e10dc81b0d9c55a9/packages/commons-server/src/libs/server/server.ts#L1400https://github.com/mockoon/mockoon/blob/1ed31c4059d7f757f6cb2a43e10dc81b0d9c55a9/packages/commons-server/src/libs/server/server.ts#L1551https://github.com/mockoon/mockoon/commit/c7f6e23e87dc3b8cc44e5802af046200a797bd2ehttps://github.com/mockoon/mockoon/security/advisories/GHSA-w7f9-wqc4-3wxr
2025-09-10
Published