๐Ÿ” CVE Alert

CVE-2026-59149

MEDIUM 6.5

Mockoon: Path traversal in templated `filePath` lets a request escape the served directory (prefix-only base check)

CVSS Score
6.5
EPSS Score
0.0%
EPSS Percentile
0th

Mockoon provides way to design and run mock APIs. Prior to 9.7.0, a FILE response whose filePath embeds request data is confined by getSafeFilePath in packages/commons-server/src/libs/server/server.ts with resolvedPath.startsWith(staticBaseDir). That prefix test has no path-separator boundary, so a ../-escaped path whose absolute form string-prefixes the base directory passes, allowing an unauthenticated client to read files from sibling paths outside the served directory through HTTP sendFile, WebSocket, or callbacks. This issue is fixed in version 9.7.0.

CWE CWE-22 CWE-23
Vendor mockoon
Product mockoon
Published Jul 9, 2026
Last Updated Jul 9, 2026
Stay Ahead of the Next One

Get instant alerts for mockoon mockoon

Be the first to know when new medium vulnerabilities affecting mockoon mockoon are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Affected Versions

mockoon / mockoon
< 9.7.0

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/mockoon/mockoon/security/advisories/GHSA-8wqc-v2q8-vff2 github.com: https://github.com/mockoon/mockoon/pull/2255 github.com: https://github.com/mockoon/mockoon/commit/b42bdfb7f82e83f0e81bea8e6fe41adf5ec82585 github.com: https://github.com/mockoon/mockoon/releases/tag/v9.7.0 mockoon.com: https://mockoon.com/releases/9.7.0