CVE-2025-54376 — Vulnetix

Try Vulnetix Request Demo

CVE-2025-54376 PUBLISHED CVSS 7.5 HIGH

Hoverfly is an open source API simulation tool. In versions 1.11.3 and prior, Hoverfly’s admin WebSocket endpoint /api/v2/ws/logs is not protected by the same authentication middleware that guards the REST admin API. Consequently, an unauthenticated remote attacker can stream real-time application logs (information disclosure) and/or gain insight into internal file paths, request/response bodies, and other potentially sensitive data emitted in logs. Version 1.12.0 contains a fix for the issue.

EPSS 0.16% · 37.5th percentile

Risk Scores

CVSS v3.1

7.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Score

0.16%

37.5th percentile

Affected Products

Vendor	Product	Versions
hoverfly	hoverfly	0
SpectoLabs	hoverfly	< 1.12.0
github.com	SpectoLabs/hoverfly	0

Timeline

Jan 21, 1970 Security Advisory
Sep 10, 2025 CVE Published
Sep 10, 2025 Coalition ESS Score
Sep 10, 2025 PoC Published
Sep 11, 2025 EPSS Score
Sep 11, 2025 Coalition ESS Score
Sep 11, 2025 PoC Published
Sep 18, 2025 EPSS Score
Sep 24, 2025 EPSS Score
Oct 1, 2025 EPSS Score
Oct 1, 2025 Coalition ESS Score
Oct 6, 2025 Coalition ESS Score

References

Open in Interactive Console →