CVE-2025-59049: 
JavaScript vulnerability analysis and mitigation

CVE-2025-59049 affects Mockoon, a tool for designing and running mock APIs. Prior to version 9.2.0, the mock API configuration for static file serving was vulnerable to Path Traversal and Local File Inclusion (LFI) attacks. The vulnerability was discovered and disclosed on March 11, 2025, affecting all versions up to 9.1.0 of @mockoon/cli and @mockoon/commons-server packages (GitHub Advisory).

The vulnerability exists in the server filename generation process via templating features from user input. Specifically, in the sendFileWithCallback(code) and sendFile(code) functions, the filePath variable is parsed using TemplateParser without proper path sanitization. The CVSS v3.1 score is 7.5 (High), with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating network accessibility, low attack complexity, and no required privileges or user interaction (GitHub Advisory).

The vulnerability allows an attacker to access any file in the mock server filesystem through path traversal techniques. This issue is particularly critical in cloud-hosted server instances where sensitive files could be exposed. The vulnerability primarily affects confidentiality, allowing unauthorized access to files outside the intended directory structure (GitHub Advisory).

The vulnerability has been fixed in version 9.2.0 of the affected packages. Users should upgrade to this version or later to protect against path traversal and LFI attacks. The fix includes proper path sanitization and validation of user input used in file path generation (GitHub Advisory).