CVE-2025-54376
BaseFortify
Publication date: 2025-09-10
Last updated on: 2026-04-29
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| hoverfly | hoverfly | to 1.12.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-287 | When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. |
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
| CWE-532 | The product writes sensitive information to a log file. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-54376 is a security vulnerability in Hoverfly versions 1.11.3 and earlier where the WebSocket endpoint /api/v2/ws/logs is not protected by authentication middleware, unlike the REST admin API. This allows an unauthenticated remote attacker to connect to this endpoint and stream real-time application logs, which may contain sensitive information such as internal file paths, request and response bodies, authentication tokens, and other confidential data. Essentially, it is an authentication bypass and information disclosure vulnerability. [1]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an unauthenticated attacker to access real-time application logs without authorization. These logs may expose sensitive information including internal file paths, proxied request and response bodies, authentication tokens, and other confidential data. This exposure can lead to information disclosure, potentially aiding attackers in further compromising your system or data. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
You can detect this vulnerability by attempting to connect to the WebSocket endpoint /api/v2/ws/logs without authentication, even when Hoverfly is started with the --auth flag enabled. For example, using a WebSocket client like wscat, run the command: wscat -c ws://<hoverfly-host>:<port>/api/v2/ws/logs. If you receive a stream of real-time application logs without providing credentials, your system is vulnerable. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation is to upgrade Hoverfly to version 1.12.0 or later, where the WebSocket endpoint /api/v2/ws/logs is secured by token-based authentication. If upgrading is not immediately possible, restrict network access to the Hoverfly admin interface to trusted users only, and monitor for unauthorized WebSocket connections to the logs endpoint. [1, 2]