Skip to main content

Mockoon

2 CVEs product

Monthly

CVE-2026-59149 MEDIUM PATCH This Month

Path traversal in Mockoon prior to 9.7.0 allows unauthenticated network clients to read arbitrary files from sibling paths outside the configured static serving directory. The vulnerability exists in the `getSafeFilePath` function in `packages/commons-server/src/libs/server/server.ts`, which enforces directory confinement using a bare string-prefix check (`resolvedPath.startsWith(staticBaseDir)`) without a path-separator boundary. Because any path whose absolute form begins with the base directory string - including sibling directories sharing a common prefix - passes this check, crafted `../`-escaped values embedded in request data can escape the sandbox across HTTP sendFile, WebSocket, and callback channels. No public exploit code identified at time of analysis and no CISA KEV listing.

Path Traversal Mockoon
NVD GitHub
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-59148 HIGH PATCH This Week

Missing authentication on Mockoon's admin API (commons-server admin-api.ts) prior to 9.7.0 lets any unauthenticated party who can reach the mock server port fully control the runtime. Because the admin routes are mounted on the same Express listener as user mock routes, enabled by default, serve Access-Control-Allow-Origin: * with write methods, and require no credentials, an attacker can read MOCKOON_* environment variables, write arbitrary process env vars, rewrite mock route bodies/statuses/headers, read transaction logs and SSE streams, and purge state. No public exploit identified at time of analysis; not listed in CISA KEV.

Authentication Bypass Mockoon
NVD GitHub
CVSS 3.1
8.8
EPSS
0.2%
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Path traversal in Mockoon prior to 9.7.0 allows unauthenticated network clients to read arbitrary files from sibling paths outside the configured static serving directory. The vulnerability exists in the `getSafeFilePath` function in `packages/commons-server/src/libs/server/server.ts`, which enforces directory confinement using a bare string-prefix check (`resolvedPath.startsWith(staticBaseDir)`) without a path-separator boundary. Because any path whose absolute form begins with the base directory string - including sibling directories sharing a common prefix - passes this check, crafted `../`-escaped values embedded in request data can escape the sandbox across HTTP sendFile, WebSocket, and callback channels. No public exploit code identified at time of analysis and no CISA KEV listing.

Path Traversal Mockoon
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Missing authentication on Mockoon's admin API (commons-server admin-api.ts) prior to 9.7.0 lets any unauthenticated party who can reach the mock server port fully control the runtime. Because the admin routes are mounted on the same Express listener as user mock routes, enabled by default, serve Access-Control-Allow-Origin: * with write methods, and require no credentials, an attacker can read MOCKOON_* environment variables, write arbitrary process env vars, rewrite mock route bodies/statuses/headers, read transaction logs and SSE streams, and purge state. No public exploit identified at time of analysis; not listed in CISA KEV.

Authentication Bypass Mockoon
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy