CVE-2025-59049 Overview
CVE-2025-59049 is a Path Traversal and Local File Inclusion (LFI) vulnerability discovered in Mockoon, a popular tool for designing and running mock APIs. Prior to version 9.2.0, the mock API configuration for static file serving contained a critical flaw where server filenames are generated via templating features from user input without proper sanitization. This allows an attacker to traverse directory paths and access any file on the mock server filesystem.
Critical Impact
Attackers can read arbitrary files from the server filesystem, potentially exposing sensitive configuration files, credentials, source code, and other confidential data. This is particularly dangerous for cloud-hosted Mockoon server instances.
Affected Products
- Mockoon versions prior to 9.2.0
- Mockoon commons-server package (static file serving functionality)
- Mockoon serverless deployments
Discovery Timeline
- 2025-09-10 - CVE-2025-59049 published to NVD
- 2025-09-11 - Last updated in NVD database
Technical Details for CVE-2025-59049
Vulnerability Analysis
This vulnerability exists in Mockoon's static file serving functionality within the commons-server package. The application follows a templating approach for generating server filenames based on user input, as documented in Mockoon's official documentation. However, the implementation fails to properly validate and sanitize file path inputs, creating a classic Path Traversal weakness (CWE-22).
When processing requests for static files, the server concatenates user-controlled path segments without adequately filtering directory traversal sequences such as ../. This allows attackers to escape the intended web root directory and access files anywhere on the filesystem that the Mockoon process has read permissions for.
The vulnerability is particularly concerning for cloud-hosted instances where Mockoon servers may have access to sensitive cloud credentials, environment variables, or configuration files that could enable lateral movement or further compromise.
Root Cause
The root cause lies in the improper handling of the environmentDirectory parameter and file path resolution in the server code. The vulnerable code in packages/commons-server/src/libs/server/server.ts processes file serving requests without implementing proper path canonicalization or traversal filtering.
The security patch addressed this by making the environmentDirectory field required rather than optional, ensuring proper path validation is enforced:
/**
* Directory where to find the environment file.
*/
- environmentDirectory?: string;
+ environmentDirectory: string;
/**
* List of routes uuids to disable.
Source: GitHub Commit Details
Attack Vector
The attack is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability by crafting HTTP requests to a Mockoon mock API endpoint that serves static files, including path traversal sequences in the request to access files outside the intended directory.
For example, an attacker could request files like /etc/passwd, /etc/shadow, or cloud provider metadata endpoints by manipulating the file path parameter with sequences like ../../../etc/passwd. The vulnerability allows reading any file accessible to the Mockoon process user context.
The serverless deployment configuration was also updated to address the vulnerability:
import ServerlessHttp from 'serverless-http';
export class MockoonServerless {
- private options: ServerOptions & { logTransaction: boolean } = {
+ private options: Partial<ServerOptions> & { logTransaction: boolean } = {
logTransaction: false,
disabledRoutes: [],
fakerOptions: {},
Source: GitHub Commit Details
Detection Methods for CVE-2025-59049
Indicators of Compromise
- HTTP requests to Mockoon endpoints containing path traversal sequences (../, ..%2f, %2e%2e/)
- Access logs showing requests for sensitive system files like /etc/passwd, /etc/shadow, or Windows system files
- Requests attempting to access cloud metadata endpoints (e.g., 169.254.169.254)
- Unusual file access patterns in Mockoon server logs indicating filesystem enumeration
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect and block path traversal patterns in request URLs
- Monitor application logs for requests containing encoded or decoded traversal sequences
- Deploy file integrity monitoring on sensitive system files to detect unauthorized read access
- Configure intrusion detection systems to alert on LFI attack signatures targeting Node.js applications
Monitoring Recommendations
- Enable verbose logging on Mockoon instances to capture full request paths
- Aggregate and analyze logs from cloud-hosted Mockoon servers for anomalous file access patterns
- Set up alerts for requests that match path traversal regex patterns
- Monitor outbound network connections from Mockoon servers that may indicate data exfiltration
How to Mitigate CVE-2025-59049
Immediate Actions Required
- Upgrade all Mockoon installations to version 9.2.0 or later immediately
- Audit access logs for any prior exploitation attempts using path traversal patterns
- Review and restrict filesystem permissions for the Mockoon process user
- Implement network segmentation to limit access to sensitive files from Mockoon servers
Patch Information
The vulnerability has been fixed in Mockoon version 9.2.0. The patch commit c7f6e23e87dc3b8cc44e5802af046200a797bd2e addresses the path traversal issue by enforcing proper path validation and making the environmentDirectory field required. Users should update via their package manager:
# Update Mockoon CLI
npm update @mockoon/cli
# Update Mockoon serverless package
npm update @mockoon/serverless
For additional details, refer to the GitHub Security Advisory.
Workarounds
- Place Mockoon servers behind a reverse proxy with path traversal filtering enabled
- Restrict network access to Mockoon instances to trusted IP ranges only
- Run Mockoon in a containerized environment with a minimal filesystem and no sensitive files accessible
- Implement application-level input validation if custom middleware is being used with Mockoon
# Example: Run Mockoon in Docker with restricted filesystem access
docker run -d \
--read-only \
--tmpfs /tmp \
-v /path/to/mock/data:/data:ro \
-p 3000:3000 \
mockoon/cli:latest \
--data /data/mock.json
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
