CVE-2025-54376: WebSocket endpoint `/api/v2/ws/logs` reachable without authentication even when --auth is enabled

September 10, 2025 (updated September 13, 2025)

Hoverfly’s admin WebSocket endpoint /api/v2/ws/logs is not protected by the same authentication middleware that guards the REST admin API. Consequently, an unauthenticated remote attacker can:

Stream real-time application logs (information disclosure).
Gain insight into internal file paths, request/response bodies, and other potentially sensitive data emitted in logs.

References

github.com/SpectoLabs/hoverfly
github.com/SpectoLabs/hoverfly/commit/ffc2cc34563de67fe1a04f7ba5d78fa2d4564424
github.com/SpectoLabs/hoverfly/security/advisories/GHSA-jxmr-2h4q-rhxp
github.com/advisories/GHSA-jxmr-2h4q-rhxp
nvd.nist.gov/vuln/detail/CVE-2025-54376

Code Behaviors & Features

Detect and mitigate CVE-2025-54376 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →