Skip to main content

Mockoon EUVDEUVD-2026-42684

| CVE-2026-59149 MEDIUM
Path Traversal (CWE-22)
2026-07-09 GitHub_M
6.5
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
vuln.today AI
6.5 MEDIUM

UI:R reflects the operator must configure dynamic FILE routes; AV:N and PR:N because the attacker requires no credentials; C:H for arbitrary file read; I:N and A:N since no write or denial capability exists.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Patch available
Jul 09, 2026 - 20:01 EUVD
Analysis Generated
Jul 09, 2026 - 19:02 vuln.today

DescriptionCVE.org

Mockoon provides way to design and run mock APIs. Prior to 9.7.0, a FILE response whose filePath embeds request data is confined by getSafeFilePath in packages/commons-server/src/libs/server/server.ts with resolvedPath.startsWith(staticBaseDir). That prefix test has no path-separator boundary, so a ../-escaped path whose absolute form string-prefixes the base directory passes, allowing an unauthenticated client to read files from sibling paths outside the served directory through HTTP sendFile, WebSocket, or callbacks. This issue is fixed in version 9.7.0.

AnalysisAI

Path traversal in Mockoon prior to 9.7.0 allows unauthenticated network clients to read arbitrary files from sibling paths outside the configured static serving directory. The vulnerability exists in the getSafeFilePath function in packages/commons-server/src/libs/server/server.ts, which enforces directory confinement using a bare string-prefix check (resolvedPath.startsWith(staticBaseDir)) without a path-separator boundary. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Discover Mockoon instance with dynamic FILE route
Delivery
Craft request embedding path traversal payload
Exploit
Submit request via HTTP/WebSocket/callback
Execution
getSafeFilePath passes sibling-prefix bypass
Persist
Mockoon serves file via sendFile
Impact
Attacker reads out-of-bounds file contents

Vulnerability AssessmentAI

Exploitation Exploitation requires that the targeted Mockoon instance has at least one FILE response type route configured where the `filePath` value dynamically embeds inbound request data (such as a URL path segment, query parameter, or other request-derived variable). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD-assigned CVSS 3.1 score of 6.5 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) reflects high confidentiality impact but scoped scope and required user interaction. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker identifies a running Mockoon instance (e.g., exposed on a development or CI network) that has a FILE response route configured to serve files using a request-controlled path parameter. The attacker sends an HTTP request with a crafted path value - such as `../mockdata-sibling/../../etc/hostname` - that, after resolution, begins with the base directory string but resolves outside it. …
Remediation Upgrade Mockoon to version 9.7.0, which is confirmed as the vendor-released fix per the GitHub release at https://github.com/mockoon/mockoon/releases/tag/v9.7.0 and the advisory at https://github.com/mockoon/mockoon/security/advisories/GHSA-8wqc-v2q8-vff2. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-42684 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy