Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
UI:R reflects the operator must configure dynamic FILE routes; AV:N and PR:N because the attacker requires no credentials; C:H for arbitrary file read; I:N and A:N since no write or denial capability exists.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
Mockoon provides way to design and run mock APIs. Prior to 9.7.0, a FILE response whose filePath embeds request data is confined by getSafeFilePath in packages/commons-server/src/libs/server/server.ts with resolvedPath.startsWith(staticBaseDir). That prefix test has no path-separator boundary, so a ../-escaped path whose absolute form string-prefixes the base directory passes, allowing an unauthenticated client to read files from sibling paths outside the served directory through HTTP sendFile, WebSocket, or callbacks. This issue is fixed in version 9.7.0.
AnalysisAI
Path traversal in Mockoon prior to 9.7.0 allows unauthenticated network clients to read arbitrary files from sibling paths outside the configured static serving directory. The vulnerability exists in the getSafeFilePath function in packages/commons-server/src/libs/server/server.ts, which enforces directory confinement using a bare string-prefix check (resolvedPath.startsWith(staticBaseDir)) without a path-separator boundary. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the targeted Mockoon instance has at least one FILE response type route configured where the `filePath` value dynamically embeds inbound request data (such as a URL path segment, query parameter, or other request-derived variable). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD-assigned CVSS 3.1 score of 6.5 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) reflects high confidentiality impact but scoped scope and required user interaction. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker identifies a running Mockoon instance (e.g., exposed on a development or CI network) that has a FILE response route configured to serve files using a request-controlled path parameter. The attacker sends an HTTP request with a crafted path value - such as `../mockdata-sibling/../../etc/hostname` - that, after resolution, begins with the base directory string but resolves outside it. … |
| Remediation | Upgrade Mockoon to version 9.7.0, which is confirmed as the vendor-released fix per the GitHub release at https://github.com/mockoon/mockoon/releases/tag/v9.7.0 and the advisory at https://github.com/mockoon/mockoon/security/advisories/GHSA-8wqc-v2q8-vff2. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42684