Which versions of Hoverfly are affected by CVE-2025-54376?

Hoverfly API simulation tool versions 1.11.3 and earlier contain an unauthenticated WebSocket vulnerability exposing real-time application logs, including internal file paths and request/response…. A patch is available.

Is there a public PoC exploit available for CVE-2025-54376?

Yes, a public proof-of-concept exploit is available for CVE-2025-54376. Prioritise patching immediately. EPSS: 0.2%.

How to fix or mitigate CVE-2025-54376?

Within 24 hours: Identify all Hoverfly deployments and versions using inventory/asset management tools; immediately restrict network access to affected instances via firewall rules to trusted networks only. Within 7 days: upgrade all Hoverfly instances to version 1.12.0 or later; verify patch deployment and test application functionality post-upgrade. Within 30 days: conduct log review for any unauthorized WebSocket connections to /api/v2/ws/logs endpoints; implement network segmentation to prevent direct internet exposure of development/testing infrastructure.

Hoverfly CVE-2025-54376

Q: What is the CVSS score of CVE-2025-54376?

CVE-2025-54376 has a CVSS 4.0 base score of 7.8 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.2%.

HIGH

Information Exposure (CWE-200)

2025-09-10 security-advisories@github.com

Information Disclosure

7.8

CVSS 4.0 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

7.8 HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

SUSE

7.5 HIGH

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Analysis Updated

Apr 29, 2026 - 01:15 vuln.today

v2 (cvss_changed)

Re-analysis Queued

Apr 29, 2026 - 01:11 vuln.today

cvss_changed

CVSS changed

Apr 29, 2026 - 01:11 NVD

8.8 (HIGH) 7.8 (HIGH)

Analysis Generated

Mar 28, 2026 - 19:11 vuln.today

Patch released

Mar 28, 2026 - 19:11 nvd

Patch available

PoC Detected

Sep 24, 2025 - 14:18 vuln.today

Public exploit code

CVE Published

Sep 10, 2025 - 20:15 nvd

HIGH 8.8

DescriptionGitHub Advisory

Hoverfly is an open source API simulation tool. In versions 1.11.3 and prior, Hoverfly’s admin WebSocket endpoint /api/v2/ws/logs is not protected by the same authentication middleware that guards the REST admin API. Consequently, an unauthenticated remote attacker can stream real-time application logs (information disclosure) and/or gain insight into internal file paths, request/response bodies, and other potentially sensitive data emitted in logs. Version 1.12.0 contains a fix for the issue.

AnalysisAI

Unauthenticated remote attackers can stream real-time application logs from Hoverfly API simulation tool (versions ≤1.11.3) via an unprotected WebSocket endpoint at /api/v2/ws/logs, exposing internal file paths, request/response bodies, and other sensitive operational data. Public exploit code exists (EPSS: 0.17%, percentile 38th - indicating low observed exploitation probability despite POC availability). Vendor-released patch available in version 1.12.0. Not listed in CISA KEV, suggesting limited widespread exploitation despite network-accessible attack surface with no authentication barrier.

Technical ContextAI

Hoverfly is a lightweight API simulation and service virtualization tool commonly used in development and testing environments to mock HTTP services. The vulnerability exists in the admin WebSocket implementation at /api/v2/ws/logs, which provides real-time streaming of application logs. Unlike the REST admin API endpoints that enforce authentication middleware, this WebSocket endpoint lacks the same protection layer. Classified as CWE-200 (Information Exposure), the flaw represents a classic authentication bypass scenario where security controls applied to one interface (REST) were not consistently extended to another communication channel (WebSocket). The CVSS vector AV:N/AC:L/PR:N indicates the endpoint is directly reachable over network protocols without requiring attacker authentication or complex setup. The affected product CPE (cpe:2.3:a:hoverfly:hoverfly:*:*:*:*:*:*:*:*) confirms all versions through 1.11.3 share this architectural weakness.

RemediationAI

Upgrade to Hoverfly version 1.12.0, which applies authentication middleware to the /api/v2/ws/logs WebSocket endpoint (fix commit: https://github.com/SpectoLabs/hoverfly/commit/ffc2cc34563de67fe1a04f7ba5d78fa2d4564424). For environments unable to upgrade immediately: (1) Block network access to /api/v2/ws/logs at the reverse proxy or firewall level - allows continued REST API operation while closing WebSocket exposure, but breaks any legitimate log streaming integrations; (2) Restrict Hoverfly admin interface access to localhost/127.0.0.1 only via configuration or network controls - prevents remote exploitation but limits multi-host monitoring; (3) Deploy Hoverfly instances in network segments isolated from untrusted users and internet exposure - reduces attack surface but requires network segmentation overhead. Review existing Hoverfly logs for unexpected WebSocket connections from unknown source IPs as potential compromise indicator. No workaround fully eliminates risk without functional trade-offs; upgrading to 1.12.0 is the complete solution.

Vendor StatusVendor

SUSE

Severity: High

Product	Status
Container suse/sl-micro/6.0/baremetal-os-container:latest Container suse/sl-micro/6.0/base-os-container:latest Container suse/sl-micro/6.0/toolbox:latest Image SL-Micro Image SL-Micro-Base Image SL-Micro-Base-RT Image SL-Micro-Base-RT-SelfInstall Image SL-Micro-Base-RT-encrypted Image SL-Micro-Base-SelfInstall Image SL-Micro-Base-encrypted Image SL-Micro-Base-qcow Image SL-Micro-Default Image SL-Micro-Default-SelfInstall Image SL-Micro-Default-encrypted Image SL-Micro-Default-qcow Image SLE-Micro Image SLE-Micro-Azure Image SLE-Micro-BYOS Image SLE-Micro-BYOS-Azure Image SLE-Micro-BYOS-EC2 Image SLE-Micro-BYOS-GCE Image SLE-Micro-EC2 Image SLE-Micro-GCE	Affected
openSUSE Tumbleweed	Fixed

Product

Status

Container suse/sl-micro/6.0/baremetal-os-container:latest Container suse/sl-micro/6.0/base-os-container:latest Container suse/sl-micro/6.0/toolbox:latest Image SL-Micro Image SL-Micro-Base Image SL-Micro-Base-RT Image SL-Micro-Base-RT-SelfInstall Image SL-Micro-Base-RT-encrypted Image SL-Micro-Base-SelfInstall Image SL-Micro-Base-encrypted Image SL-Micro-Base-qcow Image SL-Micro-Default Image SL-Micro-Default-SelfInstall Image SL-Micro-Default-encrypted Image SL-Micro-Default-qcow Image SLE-Micro Image SLE-Micro-Azure Image SLE-Micro-BYOS Image SLE-Micro-BYOS-Azure Image SLE-Micro-BYOS-EC2 Image SLE-Micro-BYOS-GCE Image SLE-Micro-EC2 Image SLE-Micro-GCE

Affected

openSUSE Tumbleweed

Fixed

CVE-2025-54376 vulnerability details – vuln.today

Back

Hoverfly CVE-2025-54376

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Technical ContextAI

RemediationAI

Vendor StatusVendor

SUSE

Share

External POC / Exploit Code