CVE-2025-54123
BaseFortify
Publication date: 2025-09-10
Last updated on: 2025-09-17
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| hoverfly | hoverfly | to 1.12.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-54123 is a critical remote code execution vulnerability in the Hoverfly API simulation tool, affecting versions 1.11.3 and earlier. The vulnerability exists in the middleware management API endpoint `/api/v2/hoverfly/middleware` due to insufficient input validation and unsafe command execution. Specifically, user input is not properly sanitized before being passed to system commands, allowing an attacker to execute arbitrary commands or upload malicious payloads on the host system with the privileges of the Hoverfly process. This can be exploited by sending crafted HTTP PUT requests to the vulnerable endpoint, leading to full remote code execution without authentication. [2]
How can this vulnerability impact me? :
This vulnerability allows an attacker to remotely execute arbitrary operating system commands on any system running the vulnerable Hoverfly service, without requiring authentication. This can lead to complete compromise of the affected system, including unauthorized access, data theft, system manipulation, and denial of service. The attacker can run commands such as spawning reverse shells, which can be used to maintain persistent access or move laterally within a network. The impact affects confidentiality, integrity, and availability of the system, making it a severe security risk. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the Hoverfly service is running a vulnerable version (1.11.3 or prior) and if the middleware API endpoint `/api/v2/hoverfly/middleware` is enabled and accessible. You can attempt to send a crafted HTTP PUT request to this endpoint with a JSON payload specifying a binary and script to execute, for example: `curl -X PUT http://localhost:port/api/v2/hoverfly/middleware -d '{"binary": "/bin/bash", "script": "whoami"}' -H 'Content-Type: application/json'`. If the command executes and returns output, the system is vulnerable. Additionally, monitoring network traffic for unexpected PUT requests to this endpoint or unusual command execution activity on the host can help detect exploitation attempts. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Ensure the middleware API endpoint `/api/v2/hoverfly/middleware` is disabled by default by not enabling the `-enable-middleware-api` flag when starting Hoverfly. 2) Restrict access to the Hoverfly Admin API by binding it to localhost (127.0.0.1) only, preventing remote access. 3) Use firewalls, VPNs, or reverse proxies to limit access to trusted networks and callers. 4) Avoid exposing the Admin API publicly and enable authentication if possible. 5) Run Hoverfly only on trusted or private networks. These steps reduce the risk of unauthorized remote code execution via the vulnerable middleware API. [1, 3]