CVE-2025-54376

HIGH

Hoverfly < 1.12.0 - Unauthenticated Sensitive Information Exposure via Admin WebSocket Endpoint

Title source: llm

Description

Hoverfly is an open source API simulation tool. In versions 1.11.3 and prior, Hoverfly’s admin WebSocket endpoint /api/v2/ws/logs is not protected by the same authentication middleware that guards the REST admin API. Consequently, an unauthenticated remote attacker can stream real-time application logs (information disclosure) and/or gain insight into internal file paths, request/response bodies, and other potentially sensitive data emitted in logs. Version 1.12.0 contains a fix for the issue.

References (2)

Core 2

Core References

Exploit, Vendor Advisory x_refsource_confirm

https://github.com/SpectoLabs/hoverfly/security/advisories/GHSA-jxmr-2h4q-rhxp

Patch x_refsource_misc

https://github.com/SpectoLabs/hoverfly/commit/ffc2cc34563de67fe1a04f7ba5d78fa2d4564424

View Patch ZIP pw:eip

Scores

CVSS v3 7.5

EPSS 0.0066

EPSS Percentile 46.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-200 CWE-287 CWE-532

Status published

Products (2)

hoverfly/hoverfly < 1.12.0

SpectoLabs/hoverfly 0 - 1.12.0Go

Published Sep 10, 2025

Tracked Since Feb 18, 2026