VDB
CVE-2025-54376
CVE-2025-54376
PUBLISHED
CVSS 7.5 HIGH
Hoverfly is an open source API simulation tool. In versions 1.11.3 and prior, Hoverfly’s admin WebSocket endpoint /api/v2/ws/logs is not protected by the same authentication middleware that guards the REST admin API. Consequently, an unauthenticated remote attacker can stream real-time application logs (information disclosure) and/or gain insight into internal file paths, request/response bodies, and other potentially sensitive data emitted in logs. Version 1.12.0 contains a fix for the issue.
EPSS 0.16% · 36.1th percentile
Risk Scores
CVSS 3.1
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score
0.16%
36.1th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| hoverfly | hoverfly | 0 |
| SpectoLabs | hoverfly | < 1.12.0 |
| github.com | SpectoLabs/hoverfly | 0 |
Exploit Intelligence
Timeline
- Jan 21, 1970 Security Advisory
- Sep 10, 2025 CVE Published
- Sep 10, 2025 Coalition ESS Score
- Sep 10, 2025 PoC Published
- Sep 11, 2025 EPSS Score
- Sep 11, 2025 Coalition ESS Score
- Sep 11, 2025 PoC Published
- Sep 18, 2025 EPSS Score
- Sep 26, 2025 EPSS Score
- Oct 1, 2025 Coalition ESS Score
- Oct 3, 2025 EPSS Score
- Oct 6, 2025 Coalition ESS Score
References
- https://github.com/SpectoLabs/hoverfly/security/advisories/GHSA-jxmr-2h4q-rhxp url
- https://github.com/SpectoLabs/hoverfly/commit/ffc2cc34563de67fe1a04f7ba5d78fa2d4564424 url
- https://nvd.nist.gov/vuln/detail/CVE-2025-54376 advisory
- https://github.com/SpectoLabs/hoverfly package
- https://pkg.go.dev/vuln/GO-2025-3945 url