Advisories for Golang/Github.com/Spectolabs/Hoverfly package

2025

WebSocket endpoint `/api/v2/ws/logs` reachable without authentication even when --auth is enabled

Hoverfly’s admin WebSocket endpoint /api/v2/ws/logs is not protected by the same authentication middleware that guards the REST admin API. Consequently, an unauthenticated remote attacker can: Stream real-time application logs (information disclosure). Gain insight into internal file paths, request/response bodies, and other potentially sensitive data emitted in logs.

Hoverfly is vulnerable to Remote Code Execution through an insecure middleware implementation

It has been discovered that the middleware functionality in Hoverfly is vulnerable to command injection through its /api/v2/hoverfly/middleware endpoint due to insufficient validation and sanitization in user input.

2024

Hoverfly allows an arbitrary file read in the `/api/v2/simulation` endpoint (`GHSL-2023-274`)

This issue may lead to Information Disclosure.