CVE-2025-59049: 
JavaScript vulnerability analysis and mitigation

Mockoon, a tool for designing and running mock APIs, was found to contain a path traversal and Local File Inclusion (LFI) vulnerability (CVE-2025-59049) prior to version 9.2.0. The vulnerability exists in the static file serving functionality where server filenames generated via templating features from user input were not properly validated. This security issue was discovered on September 10, 2025, and affects all versions up to 9.1.0 (GitHub Advisory).

The vulnerability stems from insufficient path validation in the sendFileWithCallback() and sendFile() functions. When processing file paths, the application uses TemplateParser without proper sanitization of user input, allowing path traversal sequences (e.g., ../../../../../etc/passwd). The vulnerability has been assigned a CVSS v3.1 score of 7.5 (High) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating it can be exploited remotely without requiring privileges or user interaction (GitHub Advisory).

The vulnerability allows attackers to access any file in the mock server filesystem through path traversal and Local File Inclusion (LFI) attacks. This issue is particularly concerning for cloud-hosted server instances where unauthorized access to sensitive files could lead to significant security breaches. The CVSS scoring indicates high impact on confidentiality while integrity and availability remain unaffected (GitHub Advisory).

The vulnerability has been fixed in version 9.2.0 of Mockoon. Users are strongly advised to upgrade to this version or later. The fix includes proper validation and sanitization of file paths to prevent path traversal attacks (GitHub Advisory).