Exploit for OS Command Injection in Hoverfly

CVE-2025-54123 Exploit Hoverfly Authenticated Middleware Comm...

Improper Authentication

github.com/spectolabs/hoverfly is vulnerable to Improper Authentication. The vulnerability is due to the admin WebSocket endpoint /api/v2/ws/logs not being protected by the same authentication middleware as the REST admin API, which allows an unauthenticated remote attacker to access and stream...

Command Injection

Hoverfly is vulnerable to Command Injection. The vulnerability is due to improper input validation in the middleware endpoint due to the binary and script parameters being passed directly into a system without sanitization. This allows an attacker to supply crafted values for those parameters to...

GO-2025-3944 Hoverfly is vulnerable to Remote Code Execution through an insecure middleware implementation in github.com/SpectoLabs/hoverfly

Hoverfly is vulnerable to Remote Code Execution through an insecure middleware implementation in github.com/SpectoLabs/hoverfly...

PT-2025-37088

Name of the Vulnerable Software and Affected Versions: Hoverfly versions 1.11.3 and prior Description: Hoverfly is vulnerable to a command injection issue at the /api/v2/hoverfly/middleware endpoint due to insufficient validation and sanitization of user input. This vulnerability stems from a...

CVE-2024-45388 Arbitrary file read in the `/api/v2/simulation` endpoint in hoverfly (`GHSL-2023-274`)

Hoverfly is a lightweight service virtualization/ API simulation / API mocking tool for developers and testers. The /api/v2/simulation POST handler allows users to create new simulation views from the contents of a user-specified file. This feature can be abused by an attacker to read arbitrary...