fkie_cve-2025-54123
Vulnerability from fkie_nvd
Published
2025-09-10 19:15
Modified
2025-09-17 21:17
Severity ?
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Hoverfly is an open source API simulation tool. In versions 1.11.3 and prior, the middleware functionality in Hoverfly is vulnerable to command injection vulnerability at `/api/v2/hoverfly/middleware` endpoint due to insufficient validation and sanitization in user input. The vulnerability exists in the middleware management API endpoint `/api/v2/hoverfly/middleware`. This issue is born due to combination of three code level flaws: Insufficient Input Validation in middleware.go line 94-96; Unsafe Command Execution in local_middleware.go line 14-19; and Immediate Execution During Testing in hoverfly_service.go line 173. This allows an attacker to gain remote code execution (RCE) on any system running the vulnerable Hoverfly service. Since the input is directly passed to system commands without proper checks, an attacker can upload a malicious payload or directly execute arbitrary commands (including reverse shells) on the host server with the privileges of the Hoverfly process. Commit 17e60a9bc78826deb4b782dca1c1abd3dbe60d40 in version 1.12.0 disables the set middleware API by default, and subsequent changes to documentation make users aware of the security changes of exposing the set middleware API.
References
security-advisories@github.comhttps://github.com/SpectoLabs/hoverfly/blob/master/core/hoverfly_service.go#L173Product
security-advisories@github.comhttps://github.com/SpectoLabs/hoverfly/blob/master/core/middleware/local_middleware.go#L13Product
security-advisories@github.comhttps://github.com/SpectoLabs/hoverfly/blob/master/core/middleware/middleware.go#L93Product
security-advisories@github.comhttps://github.com/SpectoLabs/hoverfly/commit/17e60a9bc78826deb4b782dca1c1abd3dbe60d40Patch
security-advisories@github.comhttps://github.com/SpectoLabs/hoverfly/commit/a9d4da7bd7269651f54542ab790d0c613d568d3ePatch
security-advisories@github.comhttps://github.com/SpectoLabs/hoverfly/security/advisories/GHSA-r4h8-hfp2-ggmfExploit, Vendor Advisory
134c704f-9b21-4f2e-91b3-4a467353bcc0https://github.com/SpectoLabs/hoverfly/security/advisories/GHSA-r4h8-hfp2-ggmfExploit, Vendor Advisory
Impacted products
Vendor Product Version
hoverfly hoverfly *


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:hoverfly:hoverfly:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "52876127-6BCA-42D6-9133-2A7A0B326DE8",
              "versionEndExcluding": "1.12.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Hoverfly is an open source API simulation tool. In versions 1.11.3 and prior, the middleware functionality in Hoverfly is vulnerable to command injection vulnerability at `/api/v2/hoverfly/middleware` endpoint due to insufficient validation and sanitization in user input. The vulnerability exists in the middleware management API endpoint `/api/v2/hoverfly/middleware`. This issue is born due to combination of three code level flaws: Insufficient Input Validation in middleware.go line 94-96; Unsafe Command Execution in local_middleware.go line 14-19; and Immediate Execution During Testing in hoverfly_service.go line 173. This allows an attacker to gain remote code execution (RCE) on any system running the vulnerable Hoverfly service. Since the input is directly passed to system commands without proper checks, an attacker can upload a malicious payload or directly execute arbitrary commands (including reverse shells) on the host server with the privileges of the Hoverfly process. Commit 17e60a9bc78826deb4b782dca1c1abd3dbe60d40 in version 1.12.0 disables the set middleware API by default, and subsequent changes to documentation make users aware of the security changes of exposing the set middleware API."
    },
    {
      "lang": "es",
      "value": "Hoverfly es una herramienta de simulaci\u00f3n de API de c\u00f3digo abierto. En las versiones 1.11.3 y anteriores, la funcionalidad de middleware en Hoverfly es vulnerable a una vulnerabilidad de inyecci\u00f3n de comandos en el endpoint \u0027/api/v2/hoverfly/middleware\u0027 debido a una validaci\u00f3n y sanitizaci\u00f3n insuficientes en la entrada del usuario. La vulnerabilidad existe en el endpoint de la API de gesti\u00f3n de middleware \u0027/api/v2/hoverfly/middleware\u0027. Este problema nace de la combinaci\u00f3n de tres fallos a nivel de c\u00f3digo: Validaci\u00f3n de Entrada Insuficiente en middleware.go l\u00ednea 94-96; Ejecuci\u00f3n de Comandos Insegura en local_middleware.go l\u00ednea 14-19; y Ejecuci\u00f3n Inmediata Durante las Pruebas en hoverfly_service.go l\u00ednea 173. Esto permite a un atacante obtener ejecuci\u00f3n remota de c\u00f3digo (RCE) en cualquier sistema que ejecute el servicio Hoverfly vulnerable. Dado que la entrada se pasa directamente a los comandos del sistema sin las comprobaciones adecuadas, un atacante puede cargar una carga \u00fatil maliciosa o ejecutar directamente comandos arbitrarios (incluyendo shells inversas) en el servidor anfitri\u00f3n con los privilegios del proceso Hoverfly. El commit 17e60a9bc78826deb4b782dca1c1abd3dbe60d40 en la versi\u00f3n 1.12.0 deshabilita la API de configuraci\u00f3n de middleware por defecto, y los cambios posteriores en la documentaci\u00f3n alertan a los usuarios sobre los cambios de seguridad al exponer la API de configuraci\u00f3n de middleware."
    }
  ],
  "id": "CVE-2025-54123",
  "lastModified": "2025-09-17T21:17:53.460",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-09-10T19:15:41.803",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Product"
      ],
      "url": "https://github.com/SpectoLabs/hoverfly/blob/master/core/hoverfly_service.go#L173"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Product"
      ],
      "url": "https://github.com/SpectoLabs/hoverfly/blob/master/core/middleware/local_middleware.go#L13"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Product"
      ],
      "url": "https://github.com/SpectoLabs/hoverfly/blob/master/core/middleware/middleware.go#L93"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/SpectoLabs/hoverfly/commit/17e60a9bc78826deb4b782dca1c1abd3dbe60d40"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/SpectoLabs/hoverfly/commit/a9d4da7bd7269651f54542ab790d0c613d568d3e"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/SpectoLabs/hoverfly/security/advisories/GHSA-r4h8-hfp2-ggmf"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/SpectoLabs/hoverfly/security/advisories/GHSA-r4h8-hfp2-ggmf"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-20"
        },
        {
          "lang": "en",
          "value": "CWE-78"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-78"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.