CVE-2025-54376

10.09.2025, 20:15

Hoverfly is an open source API simulation tool. In versions 1.11.3 and prior, Hoverflys admin WebSocket endpoint /api/v2/ws/logs is not protected by the same authentication middleware that guards the REST admin API. Consequently, an unauthenticated remote attacker can stream real-time application logs (information disclosure) and/or gain insight into internal file paths, request/response bodies, and other potentially sensitive data emitted in logs. Version 1.12.0 contains a fix for the issue.

Provider	Type	Base Score	Vector
NIST	NIST	UNKNOWN	---
GitHub_M	CNA	---	---
CISA-ADP	ADP	---	---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Common Weakness Enumeration

CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

References

https://github.com/SpectoLabs/hoverfly/commit/ffc2cc34563de67fe1a04f7ba5d78fa2d4564424

https://github.com/SpectoLabs/hoverfly/security/advisories/GHSA-jxmr-2h4q-rhxp