CVE-2025-54376 – Hoverfly versions 1.11.3 and prior have an auth... (How to Fix)

Q: What is the severity of CVE-2025-54376?

CVE-2025-54376 has a CVSS score of 7.5 (HIGH). Hoverfly versions 1.11.3 and prior have an authentication bypass vulnerability in the admin WebSocket endpoint /api/v2/ws/logs. Unauthenticated attackers can stream real-time application logs containing sensitive data like internal file paths and request/response bodies. Organizations using vulnerable Hoverfly instances are affected.

📋 TL;DR

Hoverfly versions 1.11.3 and prior have an authentication bypass vulnerability in the admin WebSocket endpoint /api/v2/ws/logs. Unauthenticated attackers can stream real-time application logs containing sensitive data like internal file paths and request/response bodies. Organizations using vulnerable Hoverfly instances are affected.

💻 Affected Systems

Products:

Hoverfly

Versions: 1.11.3 and prior

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects instances with admin API enabled (default).

📦 What is this software?

Hoverfly by Hoverfly

View all CVEs affecting Hoverfly →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain full visibility into application internals, extract credentials or sensitive data from logs, and use insights for further attacks.

🟠

Likely Case

Information disclosure of internal paths, API traffic details, and potentially sensitive data logged by applications.

🟢

If Mitigated

Limited impact if logs contain no sensitive data and endpoint is network-restricted.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple WebSocket connection to vulnerable endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.12.0

Vendor Advisory: https://github.com/SpectoLabs/hoverfly/security/advisories/GHSA-jxmr-2h4q-rhxp

Restart Required: Yes

Instructions:

1. Stop Hoverfly service. 2. Update to version 1.12.0 or later. 3. Restart service.

🔧 Temporary Workarounds

Network Access Control

linux

Restrict access to Hoverfly admin endpoints using firewall rules.

iptables -A INPUT -p tcp --dport 8888 -s trusted_ip -j ACCEPT
iptables -A INPUT -p tcp --dport 8888 -j DROP

Disable Admin API

all

Run Hoverfly without admin API if not needed.

hoverfly -disable-admin-api

🧯 If You Can't Patch

Implement strict network segmentation to isolate Hoverfly instances.
Configure application logging to exclude sensitive data from Hoverfly logs.

🔍 How to Verify

Check if Vulnerable:

Attempt WebSocket connection to ws://hoverfly_host:8888/api/v2/ws/logs without authentication.

Check Version:

hoverfly --version

Verify Fix Applied:

Verify WebSocket connection to /api/v2/ws/logs endpoint requires authentication after update.

📡 Detection & Monitoring

Log Indicators:

Unauthenticated WebSocket connections to /api/v2/ws/logs endpoint

Network Indicators:

WebSocket traffic to port 8888 from untrusted sources

SIEM Query:

source_port=8888 AND (uri_path="/api/v2/ws/logs" OR protocol="websocket")

📊 Metadata

CVE ID: CVE-2025-54376

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-200

EPSS Score: 0.14% exploit probability (34.7th percentile)

Published: September 10, 2025

Last Updated: September 24, 2025

🔗 References

https://github.com/SpectoLabs/hoverfly/commit/ffc2cc34563de67fe1a04f7ba5d78fa2d4564424 Patch
https://github.com/SpectoLabs/hoverfly/security/advisories/GHSA-jxmr-2h4q-rhxp Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-54376, you might also want to check these: