Plattform
nodejs
Komponente
@mockoon/commons-server
Behoben in
9.2.1
9.2.0
CVE-2025-59049 describes a Path Traversal vulnerability discovered in the @mockoon/commons-server component. This flaw allows attackers to potentially read sensitive files from the server's filesystem by manipulating user-supplied input used in file serving. The vulnerability affects versions prior to 9.2.0 and has been resolved in that release. A fix is available.
The primary impact of this Path Traversal vulnerability is unauthorized access to files stored on the server. An attacker could exploit this to retrieve configuration files, API keys, or other sensitive data. Given that the description mentions relevance in cloud-hosted server instances, the potential blast radius could be significant, especially if the server hosts critical applications or data. This vulnerability shares similarities with other Path Traversal exploits where attackers leverage templating features to bypass security controls and access restricted resources. The ability to read arbitrary files could also facilitate further attacks, such as privilege escalation or data exfiltration.
CVE-2025-59049 was publicly disclosed on March 11, 2025. The vulnerability's severity is rated HIGH with a CVSS score of 7.5. No public proof-of-concept (PoC) code has been observed as of the disclosure date, but the nature of Path Traversal vulnerabilities makes it likely that a PoC will emerge. The vulnerability is not currently listed on the CISA KEV catalog.
Development teams using @mockoon/commons-server for API mocking, particularly those deploying mock APIs in cloud environments or shared hosting setups, are at risk. Legacy configurations that haven't been updated to the latest version are also vulnerable.
• nodejs / server:
find /path/to/mockoon/ -name '*sendFileWithCallback*' -type f• nodejs / server:
ps aux | grep -i mockoon | grep -i sendFileWithCallback• generic web:
Use curl to test for path traversal: curl 'http://your-mockoon-server/endpoint?filename=../../../../etc/passwd' (replace with your endpoint and server address).
disclosure
Exploit-Status
EPSS
1.91% (83% Perzentil)
CISA SSVC
CVSS-Vektor
The recommended mitigation is to immediately upgrade to @mockoon/commons-server version 9.2.0 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds such as restricting file access permissions and validating user input more rigorously. Implement strict input validation on any user-controlled parameters used in file path generation. Consider using a Web Application Firewall (WAF) with rules to detect and block Path Traversal attempts. Review and harden the server's filesystem permissions to limit the impact of a successful exploit.
Actualice Mockoon a la versión 9.2.0 o superior. Esta versión corrige la vulnerabilidad de Path Traversal y LFI en el endpoint de servicio de archivos estáticos. La actualización evitará que atacantes accedan a archivos arbitrarios en el sistema de archivos del servidor.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-59049 is a Path Traversal vulnerability in @mockoon/commons-server versions before 9.2.0, allowing attackers to read arbitrary files from the server's filesystem.
You are affected if you are using @mockoon/commons-server versions prior to 9.2.0. Check your installed version and upgrade immediately if necessary.
Upgrade to @mockoon/commons-server version 9.2.0 or later to resolve the vulnerability. Implement input validation as a temporary workaround.
There is currently no evidence of active exploitation, but public POCs could emerge, increasing the risk.
Refer to the official @mockoon project repository and release notes for the latest advisory and details on the fix.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.