CVE-2026-59149
Mockoon: Path traversal in templated `filePath` lets a request escape the served directory (prefix-only base check)
CVSS Score
6.5
EPSS Score
0.0%
EPSS Percentile
0th
Mockoon provides way to design and run mock APIs. Prior to 9.7.0, a FILE response whose filePath embeds request data is confined by getSafeFilePath in packages/commons-server/src/libs/server/server.ts with resolvedPath.startsWith(staticBaseDir). That prefix test has no path-separator boundary, so a ../-escaped path whose absolute form string-prefixes the base directory passes, allowing an unauthenticated client to read files from sibling paths outside the served directory through HTTP sendFile, WebSocket, or callbacks. This issue is fixed in version 9.7.0.
| CWE | CWE-22 CWE-23 |
| Vendor | mockoon |
| Product | mockoon |
| Published | Jul 9, 2026 |
| Last Updated | Jul 9, 2026 |
Stay Ahead of the Next One
Get instant alerts for mockoon mockoon
Be the first to know when new medium vulnerabilities affecting mockoon mockoon are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
Affected Versions
mockoon / mockoon
< 9.7.0
References
github.com: https://github.com/mockoon/mockoon/security/advisories/GHSA-8wqc-v2q8-vff2 github.com: https://github.com/mockoon/mockoon/pull/2255 github.com: https://github.com/mockoon/mockoon/commit/b42bdfb7f82e83f0e81bea8e6fe41adf5ec82585 github.com: https://github.com/mockoon/mockoon/releases/tag/v9.7.0 mockoon.com: https://mockoon.com/releases/9.7.0