Security Update: new CVE published and patched in v9.2.0
A high-severity vulnerability (CVE-2025-59049) has been discovered and patched in Mockoon. We advise all users to update to version >= 9.2.0
We are issuing a security advisory to inform our community about a vulnerability, identified as CVE-2025-59049 and initially reported through GitHub Security Advisories (GHSA-w7f9-wqc4-3wxr), that has been discovered and subsequently patched in all Mockoon applications as part of release 9.2.0.
Summary
The vulnerability allows for path traversal and local file inclusion (LFI) through insecure template helpers. An attacker could craft a malicious Mockoon data file that, when loaded by a user, could allow access to sensitive files on the user's machine.
How does the vulnerability work?
The file serving feature in Mockoon allows users to serve files from their local filesystem as part of their mock API responses. It also supports templating helpers, allowing dynamic path generation based on request data or other variables.
Files can be served using absolute or relative paths, resolved from the data file location.
A file input containing a template like ./{{queryParam 'path'}} or ../../../passwd could be exploited by an attacker to perform path traversal attacks and serve sensitive files from the user's filesystem in the mock API responses.
The vulnerability was patched by preventing path escaping from the data file directory, ensuring that only files within the data file directory (and its subdirectories) can be served.
Is my infrastructure at risk?
While the severity of this vulnerability is high, the exploit probability is low.
For the vulnerability to be exploited, a user must either:
- import and run a mock API from a data file containing a malicious file path (dynamic or not) and expose it to untrusted users, or
- create a data file with a dynamic file path (using templating helpers) and expose it to untrusted users.
However, we strongly recommend all users to update, especially for mock APIs publicly exposed.
🔒 Our Mockoon Cloud services were never at risk, as file serving is not available yet for Cloud instances.
Affected versions
All applications are affected up to and including version 9.1.0:
- Desktop application.
- CLI (
@mockoon/cli). - Serverless library (
@mockoon/serverless). - Commons server library (used in all the other applications) (
@mockoon/commons-server).
Patched versions
The vulnerability has been fixed in version 9.2.0 for all applications.
We urge all users to update to version 9.2.0 or newer immediately. You can download the latest desktop version or update the CLI and Serverless packages from NPM: npm install @mockoon/cli@latest
You might also be interested in these articles
Support Mockoon development with OpenPledge
We're excited to announce our partnership with OpenPledge, opening new avenues for sustainable funding and community support to help Mockoon thrive long-term.
Read moreMockoon endorses the United Nations Open Source Principles
We are proud to join 60+ organizations in endorsing the UN Open Source Principles, reaffirming our commitment to transparent, collaborative, and accessible developer tools.
Read moreMockoon's WeAreDevelopers World Congress 2025 highlights
A recap of our amazing experience at WeAreDevelopers World Congress 2025 in Berlin, showcasing Mockoon at the GitHub booth alongside other open source projects.
Read more