Platform
nodejs
Component
@mockoon/commons-server
Fixed in
9.2.1
9.2.0
CVE-2025-59049 describes a Path Traversal vulnerability discovered in the @mockoon/commons-server component. This flaw allows attackers to potentially read sensitive files from the server's filesystem by manipulating user-supplied input used in file serving. The vulnerability affects versions prior to 9.2.0 and has been resolved in that release. A fix is available.
The core of this vulnerability lies in the way @mockoon/commons-server handles static file serving through templating. An attacker can craft malicious requests that exploit this templating mechanism to bypass intended file access restrictions. This allows them to retrieve arbitrary files from the server's filesystem, potentially including configuration files, API keys, or other sensitive data. The impact is particularly concerning in cloud-hosted server instances where the blast radius could be significant, potentially exposing data across multiple users or applications relying on the mock API. Successful exploitation could lead to data breaches and compromise of the entire server environment.
CVE-2025-59049 was publicly disclosed on 2025-03-11. There is no indication of active exploitation campaigns at this time. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept (POC) code may become available, increasing the risk of exploitation.
Exploit Status
EPSS
1.91% (83% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-59049 is to immediately upgrade to @mockoon/commons-server version 9.2.0 or later. If upgrading is not immediately feasible, consider implementing stricter input validation on any user-supplied data used in file path generation. Employing a Web Application Firewall (WAF) with rules to block requests containing path traversal sequences (e.g., ../) can provide an additional layer of defense. Regularly review and audit the mock API configuration to ensure adherence to security best practices. After upgrade, confirm by attempting to access a non-existent file via the vulnerable endpoint and verifying that access is denied.
Update Mockoon to version 9.2.0 or higher. This version fixes the Path Traversal and LFI vulnerability in the static file serving endpoint. The update will prevent attackers from accessing arbitrary files on the server filesystem.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-59049 is a Path Traversal vulnerability in @mockoon/commons-server versions before 9.2.0, allowing attackers to read arbitrary files from the server's filesystem.
You are affected if you are using @mockoon/commons-server versions prior to 9.2.0. Check your installed version and upgrade immediately if necessary.
Upgrade to @mockoon/commons-server version 9.2.0 or later to resolve the vulnerability. Implement input validation as a temporary workaround.
There is currently no evidence of active exploitation, but public POCs could emerge, increasing the risk.
Refer to the official @mockoon project repository and release notes for the latest advisory and details on the fix.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.