GHSA-w7f9-wqc4-3wxr: 
JavaScript vulnerability analysis and mitigation

A path traversal and Local File Inclusion (LFI) vulnerability was discovered in Mockoon's static file serving endpoint affecting versions <= 9.1.0 of @mockoon/cli and @mockoon/commons-server packages. The vulnerability was disclosed on March 11, 2025, and patched in version 9.2.0. The issue allows attackers to access arbitrary files on the mock server filesystem through manipulated file paths, particularly impacting cloud-hosted server instances (GitHub Advisory).

The vulnerability exists in the sendFileWithCallback(code) and sendFile(code) functions where the filePath variable is parsed using TemplateParser without proper path sanitization. The issue occurs when server filename is generated via templating features from user input. The CVSS v3.1 score is 7.5 (High), with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. The vulnerability is tracked as GHSA-w7f9-wqc4-3wxr and is associated with CWE-20, CWE-73, and CWE-200 (GitHub Advisory).

The vulnerability allows attackers to access any file in the mock server filesystem through path traversal attacks. This is particularly concerning for cloud-hosted server instances where sensitive system files could be exposed. The vulnerability has a High confidentiality impact, though integrity and availability are not affected (GitHub Advisory).

The vulnerability has been patched in version 9.2.0 of both @mockoon/cli and @mockoon/commons-server packages. Users should upgrade to these versions or later to protect against this vulnerability. The fix includes proper path sanitization and validation to prevent directory traversal attacks (GitHub Commit).