CVE-2025-59049
Published: 10 September 2025
Summary
CVE-2025-59049 is a high-severity Path Traversal (CWE-22) vulnerability. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 16.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
Mockoon is an open-source tool for designing and running mock APIs. Prior to version 9.2.0, its static file serving feature generated server filenames through templating driven by user-supplied input, exposing the implementation to path traversal and local file inclusion. The affected code paths reside in the commons-server package, allowing an unauthenticated remote attacker to reference arbitrary files on the mock server filesystem. The flaw carries a CVSS 3.1 score of 7.5 and is tracked under CWE-22, CWE-24, and CWE-73; it is especially relevant for cloud-hosted deployments.
An attacker can supply crafted template values in a mock API route configuration to traverse directories and retrieve any readable file from the underlying host. Because the vulnerability is exploitable over the network without authentication or user interaction, an adversary could obtain configuration secrets, source code, or other sensitive data stored on the server.
The project’s security advisory GHSA-w7f9-wqc4-3wxr and the fixing commit c7f6e23e87dc3b8cc44e5802af046200a797bd2e indicate that the issue is resolved in Mockoon 9.2.0. The patch updates filename handling to prevent traversal sequences originating from user-controlled template input.
EPSS for the CVE rose from a low baseline to a peak of 0.0622 on 2025-12-11 before receding to the current value of 0.0191, indicating a measurable increase in exploitation interest several months after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-27607
Vulnerability details
Mockoon provides way to design and run mock APIs. Prior to version 9.2.0, a mock API configuration for static file serving follows the same approach presented in the documentation page, where the server filename is generated via templating features from…
more
user input is vulnerable to Path Traversal and LFI, allowing an attacker to get any file in the mock server filesystem. The issue may be particularly relevant in cloud hosted server instances. Version 9.2.0 fixes the issue.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.