CVE-2025-54376: WebSocket endpoint `/api/v2/ws/logs` reachable without authentication even when --auth is enabled
(updated )
Hoverfly’s admin WebSocket endpoint /api/v2/ws/logs is not protected by the same authentication middleware that guards the REST admin API. Consequently, an unauthenticated remote attacker can:
- Stream real-time application logs (information disclosure).
- Gain insight into internal file paths, request/response bodies, and other potentially sensitive data emitted in logs.
References
Code Behaviors & Features
Detect and mitigate CVE-2025-54376 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →