Home

Description

Hoverfly is an open source API simulation tool. In versions 1.11.3 and prior, Hoverfly’s admin WebSocket endpoint /api/v2/ws/logs is not protected by the same authentication middleware that guards the REST admin API. Consequently, an unauthenticated remote attacker can stream real-time application logs (information disclosure) and/or gain insight into internal file paths, request/response bodies, and other potentially sensitive data emitted in logs. Version 1.12.0 contains a fix for the issue.

PUBLISHED Reserved 2025-07-21 | Published 2025-09-10 | Updated 2025-09-10 | Assigner GitHub_M




HIGH: 7.8CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P

Problem types

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

CWE-287: Improper Authentication

Product status

< 1.12.0
affected

References

github.com/...verfly/security/advisories/GHSA-jxmr-2h4q-rhxp

github.com/...ommit/ffc2cc34563de67fe1a04f7ba5d78fa2d4564424

cve.org (CVE-2025-54376)

nvd.nist.gov (CVE-2025-54376)

Download JSON