CVE-2025-54123: Hoverfly is vulnerable to Remote Code Execution through an insecure middleware implementation
(updated )
It has been discovered that the middleware functionality in Hoverfly is vulnerable to command injection through its /api/v2/hoverfly/middleware endpoint due to insufficient validation and sanitization in user input.
References
- github.com/SpectoLabs/hoverfly
- github.com/SpectoLabs/hoverfly/blob/master/core/hoverfly_service.go
- github.com/SpectoLabs/hoverfly/blob/master/core/middleware/local_middleware.go
- github.com/SpectoLabs/hoverfly/blob/master/core/middleware/middleware.go
- github.com/SpectoLabs/hoverfly/commit/17e60a9bc78826deb4b782dca1c1abd3dbe60d40
- github.com/SpectoLabs/hoverfly/commit/a9d4da7bd7269651f54542ab790d0c613d568d3e
- github.com/SpectoLabs/hoverfly/pull/1203
- github.com/SpectoLabs/hoverfly/security/advisories/GHSA-r4h8-hfp2-ggmf
- github.com/advisories/GHSA-r4h8-hfp2-ggmf
- nvd.nist.gov/vuln/detail/CVE-2025-54123
Code Behaviors & Features
Detect and mitigate CVE-2025-54123 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →