Vulnerability Description
Hoverfly is an open source API simulation tool. In versions 1.11.3 and prior, Hoverfly’s admin WebSocket endpoint /api/v2/ws/logs is not protected by the same authentication middleware that guards the REST admin API. Consequently, an unauthenticated remote attacker can stream real-time application logs (information disclosure) and/or gain insight into internal file paths, request/response bodies, and other potentially sensitive data emitted in logs. Version 1.12.0 contains a fix for the issue.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Hoverfly | Hoverfly | < 1.12.0 |
Related Weaknesses (CWE)
References
- https://github.com/SpectoLabs/hoverfly/commit/ffc2cc34563de67fe1a04f7ba5d78fa2d4Patch
- https://github.com/SpectoLabs/hoverfly/security/advisories/GHSA-jxmr-2h4q-rhxpExploitVendor Advisory
FAQ
What is CVE-2025-54376?
CVE-2025-54376 is a vulnerability with a CVSS score of 7.5 (HIGH). Hoverfly is an open source API simulation tool. In versions 1.11.3 and prior, Hoverfly’s admin WebSocket endpoint /api/v2/ws/logs is not protected by the same authentication middleware that guards the...
How severe is CVE-2025-54376?
CVE-2025-54376 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-54376?
Check the references section above for vendor advisories and patch information. Affected products include: Hoverfly Hoverfly.