CVE-2025-54123
📋 TL;DR
This CVE describes a critical command injection vulnerability in Hoverfly's middleware API endpoint that allows remote code execution. Attackers can execute arbitrary commands on systems running vulnerable Hoverfly versions (1.11.3 and prior) by sending malicious payloads to the /api/v2/hoverfly/middleware endpoint. Organizations using Hoverfly for API simulation/testing are affected.
💻 Affected Systems
- Hoverfly
📦 What is this software?
Hoverfly by Hoverfly
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with attacker gaining shell access, installing persistence mechanisms, accessing sensitive data, and pivoting to other systems in the network.
Likely Case
Remote code execution leading to data theft, service disruption, or cryptocurrency mining malware deployment.
If Mitigated
Limited impact if network segmentation, strict firewall rules, and least privilege principles are implemented.
🎯 Exploit Status
The vulnerability requires no authentication and involves simple command injection techniques. Public exploit code is likely to emerge given the high CVSS score and RCE nature.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 1.12.0 and later
Vendor Advisory: https://github.com/SpectoLabs/hoverfly/commit/17e60a9bc78826deb4b782dca1c1abd3dbe60d40
Restart Required: Yes
Instructions:
1. Upgrade Hoverfly to version 1.12.0 or later. 2. Restart the Hoverfly service. 3. Verify the middleware API endpoint is disabled by default in the new version.
🔧 Temporary Workarounds
Disable middleware API endpoint
allManually disable the vulnerable /api/v2/hoverfly/middleware endpoint
Edit Hoverfly configuration to remove or disable middleware functionality
Set appropriate firewall rules to block access to the endpoint
Network segmentation and access control
linuxRestrict network access to Hoverfly instances
iptables -A INPUT -p tcp --dport 8888 -s trusted_ip -j ACCEPT
iptables -A INPUT -p tcp --dport 8888 -j DROP
🧯 If You Can't Patch
- Implement strict network access controls to isolate Hoverfly instances from untrusted networks
- Run Hoverfly with minimal privileges using non-root user accounts and container isolation
🔍 How to Verify
Check if Vulnerable:
Check Hoverfly version: hoverfly --version. If version is 1.11.3 or earlier, the system is vulnerable. Also check if middleware API endpoint is accessible.Check Version:
hoverfly --versionVerify Fix Applied:
After upgrade, verify version is 1.12.0 or later with hoverfly --version. Confirm middleware API endpoint returns 404 or is disabled.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /api/v2/hoverfly/middleware
- Suspicious command execution patterns in system logs
- Unexpected process creation from Hoverfly service
Network Indicators:
- Unusual outbound connections from Hoverfly host
- Traffic patterns indicating command injection attempts to the middleware endpoint
SIEM Query:
source="hoverfly.log" AND (uri_path="/api/v2/hoverfly/middleware" OR message="middleware") AND (status!=404)🔗 References
- https://github.com/SpectoLabs/hoverfly/blob/master/core/hoverfly_service.go#L173
- https://github.com/SpectoLabs/hoverfly/blob/master/core/middleware/local_middleware.go#L13
- https://github.com/SpectoLabs/hoverfly/blob/master/core/middleware/middleware.go#L93
- https://github.com/SpectoLabs/hoverfly/commit/17e60a9bc78826deb4b782dca1c1abd3dbe60d40
- https://github.com/SpectoLabs/hoverfly/commit/a9d4da7bd7269651f54542ab790d0c613d568d3e
- https://github.com/SpectoLabs/hoverfly/security/advisories/GHSA-r4h8-hfp2-ggmf
- https://github.com/SpectoLabs/hoverfly/security/advisories/GHSA-r4h8-hfp2-ggmf
