CVE-2025-54123

CRITICAL EXPLOITED NUCLEI

Hoverfly < 1.12.0 - OS Command Injection

Title source: rule

Description

Hoverfly is an open source API simulation tool. In versions 1.11.3 and prior, the middleware functionality in Hoverfly is vulnerable to command injection vulnerability at `/api/v2/hoverfly/middleware` endpoint due to insufficient validation and sanitization in user input. The vulnerability exists in the middleware management API endpoint `/api/v2/hoverfly/middleware`. This issue is born due to combination of three code level flaws: Insufficient Input Validation in middleware.go line 94-96; Unsafe Command Execution in local_middleware.go line 14-19; and Immediate Execution During Testing in hoverfly_service.go line 173. This allows an attacker to gain remote code execution (RCE) on any system running the vulnerable Hoverfly service. Since the input is directly passed to system commands without proper checks, an attacker can upload a malicious payload or directly execute arbitrary commands (including reverse shells) on the host server with the privileges of the Hoverfly process. Commit 17e60a9bc78826deb4b782dca1c1abd3dbe60d40 in version 1.12.0 disables the set middleware API by default, and subsequent changes to documentation make users aware of the security changes of exposing the set middleware API.

Exploits (5)

nomisec WORKING POC 1 stars

by kasem545 · remote-auth

https://github.com/kasem545/CVE-2025-54123-Poc

View Code ZIP pw:eip

nomisec WORKING POC

by davidzzo23 · remote

https://github.com/davidzzo23/CVE-2025-54123

View Code ZIP pw:eip

nomisec WORKING POC

by f4dee-backup · remote

https://github.com/f4dee-backup/CVE-2025-54123

View Code ZIP pw:eip

nomisec WORKING POC

by tristanqtn · remote-auth

https://github.com/tristanqtn/CVE-2025-54123

View Code ZIP pw:eip

nomisec WORKING POC

by 0xzap · remote-auth

https://github.com/0xzap/CVE-2025-54123

View Code ZIP pw:eip

Nuclei Templates (1)

Hoverfly <= 1.11.3 - Remote Code Execution

CRITICALVERIFIEDby nukunga[seonghyeonJeon]

Shodan: http.favicon.hash:1357234275 || title:"Hoverfly Dashboard"

FOFA: icon_hash="1357234275" || title="Hoverfly Dashboard"

References (6)

[Product] https://github.com/SpectoLabs/hoverfly/blob/master/core/hoverfly_service.go#L173

[Product] https://github.com/SpectoLabs/hoverfly/blob/master/core/middleware/local_middleware.go#L13

[Product] https://github.com/SpectoLabs/hoverfly/blob/master/core/middleware/middleware.go#L93

View Writeup ZIP pw:eip

[Patch] https://github.com/SpectoLabs/hoverfly/commit/17e60a9bc78826deb4b782dca1c1abd3dbe60d40

[Patch] https://github.com/SpectoLabs/hoverfly/commit/a9d4da7bd7269651f54542ab790d0c613d568d3e

[Exploit, Vendor Advisory] https://github.com/SpectoLabs/hoverfly/security/advisories/GHSA-r4h8-hfp2-ggmf

Scores

CVSS v3 9.8

EPSS 0.5814

EPSS Percentile 98.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2025-11-10

CWE

CWE-78 CWE-20

Status published

Products (2)

hoverfly/hoverfly < 1.12.0

SpectoLabs/hoverfly 0Go

Published Sep 10, 2025

Tracked Since Feb 18, 2026