CVE-2025-54376

Hoverfly is an open source API simulation tool. In versions 1.11.3 and prior, Hoverfly’s admin WebSocket endpoint /api/v2/ws/logs is not protected by the same authentication middleware that guards the REST admin API. Consequently, an unauthenticated remote attacker can stream real-time application logs (information disclosure) and/or gain insight into internal file paths, request/response bodies, and other potentially sensitive data emitted in logs. Version 1.12.0 contains a fix for the issue.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/SpectoLabs/hoverfly/commit/ffc2cc34563de67fe1a04f7ba5d78fa2d4564424	Patch
https://github.com/SpectoLabs/hoverfly/security/advisories/GHSA-jxmr-2h4q-rhxp	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:hoverfly:hoverfly:*:*:*:*:*:*:*:*

History

29 Apr 2026, 01:00

Type	Values Removed	Values Added
Summary		(es) Hoverfly es una herramienta de simulación de API de código abierto. En las versiones 1.11.3 y anteriores, el endpoint WebSocket de administración de Hoverfly /api/v2/ws/logs no está protegido por el mismo middleware de autenticación que protege la API REST de administración. En consecuencia, un atacante remoto no autenticado puede transmitir registros de aplicación en tiempo real (revelación de información) y/o obtener información sobre rutas de archivos internas, cuerpos de solicitud/respuesta y otros datos potencialmente sensibles emitidos en los registros. La versión 1.12.0 contiene una corrección para el problema.

24 Sep 2025, 14:18

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5
First Time		Hoverfly Hoverfly hoverfly
References	~~() https://github.com/SpectoLabs/hoverfly/commit/ffc2cc34563de67fe1a04f7ba5d78fa2d4564424 -~~	() https://github.com/SpectoLabs/hoverfly/commit/ffc2cc34563de67fe1a04f7ba5d78fa2d4564424 - Patch
References	~~() https://github.com/SpectoLabs/hoverfly/security/advisories/GHSA-jxmr-2h4q-rhxp -~~	() https://github.com/SpectoLabs/hoverfly/security/advisories/GHSA-jxmr-2h4q-rhxp - Exploit, Vendor Advisory
CWE		CWE-532
CPE		cpe:2.3:a:hoverfly:hoverfly::::::::

10 Sep 2025, 20:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-09-10 20:15

Updated : 2026-04-29 01:00

NVD link : CVE-2025-54376

Mitre link : CVE-2025-54376

CVE.ORG link : CVE-2025-54376

JSON object : View

Products Affected

hoverfly

hoverfly

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

CWE-287

Improper Authentication

CWE-532

Insertion of Sensitive Information into Log File

7.5 /10