CVE-2025-54376 Overview
CVE-2025-54376 is an information disclosure vulnerability in Hoverfly, an open source API simulation tool. The vulnerability exists because the admin WebSocket endpoint /api/v2/ws/logs lacks the same authentication middleware that protects the REST admin API. This authentication bypass allows unauthenticated remote attackers to stream real-time application logs, potentially exposing internal file paths, request/response bodies, and other sensitive data emitted in logs.
Critical Impact
Unauthenticated attackers can access real-time application logs containing sensitive information including internal file paths, request/response bodies, and other confidential data without any authentication.
Affected Products
- Hoverfly versions 1.11.3 and prior
- All Hoverfly installations with exposed admin WebSocket endpoints
- Systems using Hoverfly for API simulation with network-accessible admin interfaces
Discovery Timeline
- 2025-09-10 - CVE-2025-54376 published to NVD
- 2025-09-24 - Last updated in NVD database
Technical Details for CVE-2025-54376
Vulnerability Analysis
This vulnerability represents a classic authentication bypass scenario where a WebSocket endpoint was inadvertently excluded from the authentication controls applied to other administrative interfaces. The /api/v2/ws/logs endpoint provides real-time log streaming functionality, which is particularly dangerous when left unprotected because logs often contain sensitive operational data.
The root issue stems from inconsistent application of security controls across different communication protocols. While the REST API endpoints are properly protected by authentication middleware, the WebSocket endpoint for log streaming was not included in the same security boundary. This architectural oversight creates a direct path for attackers to access sensitive information without credentials.
Root Cause
The vulnerability is caused by missing authentication middleware on the WebSocket endpoint /api/v2/ws/logs. During development, the authentication controls were applied to REST API routes but the WebSocket handler for log streaming was not included in the same authentication chain. This represents CWE-200 (Exposure of Sensitive Information) and CWE-532 (Insertion of Sensitive Information into Log File) vulnerabilities combined with an authorization bypass.
Attack Vector
The attack vector is network-based and requires no user interaction or prior authentication. An attacker with network access to the Hoverfly admin interface can establish a WebSocket connection to the /api/v2/ws/logs endpoint and immediately begin receiving real-time log data. The attack is straightforward to execute:
- The attacker identifies a Hoverfly instance with an exposed admin interface
- The attacker initiates a WebSocket connection to the unprotected /api/v2/ws/logs endpoint
- Log messages containing potentially sensitive data stream to the attacker in real-time
- The attacker can passively collect information about internal paths, API requests, responses, and other operational data
The vulnerability requires no special tools beyond a WebSocket client, making it accessible to attackers with minimal technical sophistication.
Detection Methods for CVE-2025-54376
Indicators of Compromise
- Unexpected WebSocket connections to /api/v2/ws/logs endpoint from untrusted IP addresses
- High volume of WebSocket traffic to Hoverfly admin ports from external networks
- Log access patterns from unauthenticated sessions or unknown clients
- Network connections to Hoverfly admin interface from non-administrative hosts
Detection Strategies
- Monitor WebSocket connection attempts to /api/v2/ws/logs without corresponding authenticated REST API sessions
- Implement network-level detection rules for WebSocket upgrade requests to Hoverfly admin endpoints
- Review access logs for connections originating from unexpected network segments
- Deploy intrusion detection signatures for unauthenticated WebSocket handshakes to Hoverfly services
Monitoring Recommendations
- Enable detailed access logging for all Hoverfly admin endpoints including WebSocket connections
- Configure alerts for any external network access to Hoverfly administrative interfaces
- Implement network segmentation monitoring to detect unauthorized access attempts to internal services
- Regularly audit WebSocket connection logs for anomalous patterns or unknown client connections
How to Mitigate CVE-2025-54376
Immediate Actions Required
- Upgrade Hoverfly to version 1.12.0 or later which contains the security fix
- Restrict network access to Hoverfly admin interfaces using firewall rules or network segmentation
- Audit current deployments to identify any exposed Hoverfly admin endpoints
- Review logs for evidence of unauthorized access to the WebSocket endpoint prior to patching
Patch Information
The vulnerability has been addressed in Hoverfly version 1.12.0. The fix ensures that the WebSocket endpoint /api/v2/ws/logs is protected by the same authentication middleware used for REST API endpoints. The patch is available via the GitHub Commit Update. Additional details can be found in the GitHub Security Advisory.
Workarounds
- Place Hoverfly admin interfaces behind a reverse proxy with authentication enabled
- Implement network-level access controls to restrict admin endpoint access to trusted networks only
- Use firewall rules to block external access to the Hoverfly admin port
- Deploy Hoverfly in a private network segment not accessible from untrusted networks
# Example: Restrict Hoverfly admin access using iptables
# Allow only trusted admin network (192.168.1.0/24) to access admin port 8888
iptables -A INPUT -p tcp --dport 8888 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 8888 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
