cbcvebase.
CVE-2025-59049
published 2025-09-10

CVE-2025-59049: Mockoon provides way to design and run mock APIs. Prior to version 9.2.0, a mock API configuration for static file serving follows the same approach presented…

PriorityP260high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
1.66%
73.7th percentile
Mockoon provides way to design and run mock APIs. Prior to version 9.2.0, a mock API configuration for static file serving follows the same approach presented in the documentation page, where the server filename is generated via templating features from user input is vulnerable to Path Traversal and LFI, allowing an attacker to get any file in the mock server filesystem. The issue may be particularly relevant in cloud hosted server instances. Version 9.2.0 fixes the issue.

Affected

3 ranges
VendorProductVersion rangeFixed in
mockooncli>= 0 < 9.2.09.2.0
mockooncommons-server>= 0 < 9.2.09.2.0
mockoonmockoon< 9.2.09.2.0

Detection & IOCsextracted from sources · hover to see the quote

urlGET /static/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd HTTP/1.1
path..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
otherc7f6e23e87dc3b8cc44e5802af046200a797bd2e
  • Look for URL-encoded path traversal sequences (..%2f) in HTTP GET requests targeting static file serving endpoints on Mockoon instances (default static dir: 'static').
  • Successful exploitation returns a response body matching 'root:.*:0:0:' (Unix /etc/passwd content) with Content-Type: application/json — alert on this combination from a Mockoon server.
  • The vulnerability is exploitable with a single unauthenticated HTTP GET request (no prior auth required); monitor for path traversal patterns in requests to any Mockoon static-serving route.
  • The attack vector is network-accessible with no privileges or user interaction required (CVSS AV:N/AC:L/PR:N/UI:N); prioritize detection on cloud-hosted Mockoon instances.
  • ·The static directory name used in the traversal path is configurable in Mockoon; the Nuclei template defaults to 'static' but real deployments may use a different route prefix — adjust detection patterns accordingly.
  • ·The vulnerability only affects Mockoon versions prior to 9.2.0; instances already upgraded are not susceptible.
  • ·Exploitation requires that the Mockoon instance is configured with a static file serving route using unsafe templating of user-supplied input — not all deployments will have this configuration active.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.