CVE-2024-45388 Overview
CVE-2024-45388 is a path traversal vulnerability in Hoverfly, a lightweight service virtualization and API mocking tool used by developers and testers. The flaw resides in the /api/v2/simulation POST handler, which loads simulation views from user-specified file paths. Although the handler blocks absolute paths, it fails to validate that the resolved path remains within the intended base directory. Attackers can supply ../ segments to escape the hf.Cfg.ResponsesBodyFilesPath directory and read arbitrary files from the Hoverfly server. The issue is tracked as GHSL-2023-274 and was identified using the CodeQL Uncontrolled data used in path expression query. The vulnerability affects confidentiality only and requires no authentication or user interaction over the network.
Critical Impact
Unauthenticated remote attackers can read arbitrary files from the Hoverfly server filesystem, exposing configuration, credentials, and other sensitive data.
Affected Products
- Hoverfly versions prior to v1.10.3
- SpectoLabs Hoverfly service virtualization platform
- Deployments exposing the Hoverfly admin API to untrusted networks
Discovery Timeline
- 2024-09-02 - CVE-2024-45388 published to NVD
- 2024-09-19 - Last updated in NVD database
Technical Details for CVE-2024-45388
Vulnerability Analysis
The vulnerability is a path traversal flaw classified under [CWE-22] and [CWE-200]. The Hoverfly simulation handler accepts a user-controlled filePath parameter and joins it to the configured base directory using filepath.Join(hf.Cfg.ResponsesBodyFilesPath, filePath). The handler rejects absolute paths but does not verify that the joined result remains within the intended base directory. An attacker can therefore supply a relative path containing ../ traversal sequences to break out of the base directory and reference any file readable by the Hoverfly process.
Because the simulation API does not require authentication by default and is reachable over the network, an attacker with access to the management interface can extract arbitrary files. The impact is limited to confidentiality, with no integrity or availability effects per the published CVSS vector.
Root Cause
The root cause is missing canonicalization and containment checks after path resolution. The fix requires confirming that the result of filepath.Join(hf.Cfg.ResponsesBodyFilesPath, filePath) is still contained within filepath.Join(hf.Cfg.ResponsesBodyFilesPath, "/") before opening the file. See the Hoverfly Code File Reference for the affected code location.
Attack Vector
An attacker sends a crafted POST request to /api/v2/simulation containing a simulation payload whose body file reference uses relative traversal segments such as ../../../../etc/passwd. The Hoverfly server resolves the path, opens the targeted file, and returns its contents in the simulation response. No credentials are required when the admin API is exposed without additional access controls. Refer to the CodeQL Go Path Injection Guide and the GitHub Security Advisory GHSA-6xx4-x46f-f897 for additional technical context.
Detection Methods for CVE-2024-45388
Indicators of Compromise
- POST requests to /api/v2/simulation containing ../ sequences or encoded variants such as %2e%2e%2f in body file references.
- Hoverfly access logs showing reads of files outside the configured ResponsesBodyFilesPath directory.
- Unexpected outbound responses from the Hoverfly API containing contents of system files like /etc/passwd or application secrets.
Detection Strategies
- Inspect HTTP request bodies sent to the Hoverfly admin API for relative path traversal patterns in bodyFile fields.
- Correlate Hoverfly process file access events against the configured responses directory to flag out-of-scope reads.
- Run the CodeQL go-path-injection query against Hoverfly forks and downstream integrations to surface similar sinks.
Monitoring Recommendations
- Forward Hoverfly application and access logs to a centralized log platform with alerts on traversal patterns.
- Monitor network access to the Hoverfly admin port and alert on requests originating from untrusted sources.
- Track Hoverfly version inventory across environments to identify hosts running versions earlier than v1.10.3.
How to Mitigate CVE-2024-45388
Immediate Actions Required
- Upgrade Hoverfly to version v1.10.3 or later on all affected hosts.
- Restrict network access to the Hoverfly admin API so it is reachable only from trusted management networks.
- Audit recent simulation API requests for traversal payloads and review any files that may have been exposed.
Patch Information
The maintainers fixed the vulnerability in Hoverfly v1.10.3 by validating that the resolved file path is contained within the configured ResponsesBodyFilesPath. Details are available in the GitHub Security Advisory GHSA-6xx4-x46f-f897.
Workarounds
- Place Hoverfly behind an authenticating reverse proxy that blocks requests containing ../ patterns in JSON payloads.
- Run Hoverfly as a low-privileged user inside a container or chroot to limit the filesystem scope reachable via traversal.
- Disable or firewall the /api/v2/simulation endpoint where it is not required for operational use.
# Configuration example: restrict Hoverfly admin API to localhost and upgrade
docker pull spectolabs/hoverfly:v1.10.3
hoverfly -listen-on-host 127.0.0.1 -ap 8888
# Front with a reverse proxy that enforces auth and blocks traversal patterns
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
