VDB

CVE-2025-54376

CVE-2025-54376 PUBLISHED CVSS 7.5 HIGH

Hoverfly is an open source API simulation tool. In versions 1.11.3 and prior, Hoverfly’s admin WebSocket endpoint /api/v2/ws/logs is not protected by the same authentication middleware that guards the REST admin API. Consequently, an unauthenticated remote attacker can stream real-time application logs (information disclosure) and/or gain insight into internal file paths, request/response bodies, and other potentially sensitive data emitted in logs. Version 1.12.0 contains a fix for the issue.

EPSS 0.16% · 36.1th percentile

Risk Scores

CVSS 3.1
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score
0.16%
36.1th percentile

Affected Products

VendorProductVersions
hoverflyhoverfly0
SpectoLabshoverfly< 1.12.0
github.comSpectoLabs/hoverfly0

Timeline

  • Jan 21, 1970 Security Advisory
  • Sep 10, 2025 CVE Published
  • Sep 10, 2025 Coalition ESS Score
  • Sep 10, 2025 PoC Published
  • Sep 11, 2025 EPSS Score
  • Sep 11, 2025 Coalition ESS Score
  • Sep 11, 2025 PoC Published
  • Sep 18, 2025 EPSS Score
  • Sep 26, 2025 EPSS Score
  • Oct 1, 2025 Coalition ESS Score
  • Oct 3, 2025 EPSS Score
  • Oct 6, 2025 Coalition ESS Score
Open in Interactive Console →
$ Console Community · 100/wk Open console ›