Back to overview

CVE-2026-59149

MEDIUM Exploitation: PoC
6.5
CVSS 3.1
Description
Mockoon provides way to design and run mock APIs. Prior to 9.7.0, a FILE response whose filePath embeds request data is confined by getSafeFilePath in packages/commons-server/src/libs/server/server.ts with resolvedPath.startsWith(staticBaseDir). That prefix test has no path-separator boundary, so a ../-escaped path whose absolute form string-prefixes the base directory passes, allowing an unauthenticated client to read files from sibling paths outside the served directory through HTTP sendFile, WebSocket, or callbacks. This issue is fixed in version 9.7.0.

Metadata

CVE ID
CVE-2026-59149
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-07-02 16:50 UTC
Published
2026-07-09 18:28 UTC
Last updated
2026-07-09 18:41 UTC
Primary CWE
CWE-22
CWE-22: Improper Limitation of a Pathname to a Restricted Di…
Vendor / Product
mockoon / mockoon
Sources
cve.org  ·  NVD

Severity & Metrics

6.5 MEDIUM CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
SSVC — CISA Coordinator
Exploitation
PoC
Automatable
no
Tech. Impact
partial
Affected products (1)
VendorProductPlatformVersions
mockoon mockoon < 9.7.0
Weakness (CWE)
CWESourceDescription
CWE-22 cna CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-23 cna CWE-23: Relative Path Traversal
CVSS scores (1)
ScoreSeverityVersionSourceVector
6.5 MEDIUM 3.1 cna CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
References (5)
Back to overview