CVE-2025-54123 (CNNVD-202509-1491)

CRITICAL
中文标题:
Hoverfly 安全漏洞
英文标题:
Hoverfly vulnerable to remote code execution at `/api/v2/hoverfly/middleware` endpoint due to insecure middleware implementation
CVSS分数: 9.8
发布时间: 2025-09-10 18:41:46
漏洞类型: 其他
状态: PUBLISHED
数据质量分数: 0.30
数据版本: v3
漏洞描述
中文描述:

Hoverfly是SpectoLabs开源的一种轻量级的开源 API 模拟工具。 Hoverfly 1.11.3及之前版本存在安全漏洞,该漏洞源于命令注入,可能导致远程代码执行。

英文描述:

Hoverfly is an open source API simulation tool. In versions 1.11.3 and prior, the middleware functionality in Hoverfly is vulnerable to command injection vulnerability at `/api/v2/hoverfly/middleware` endpoint due to insufficient validation and sanitization in user input. The vulnerability exists in the middleware management API endpoint `/api/v2/hoverfly/middleware`. This issue is born due to combination of three code level flaws: Insufficient Input Validation in middleware.go line 94-96; Unsafe Command Execution in local_middleware.go line 14-19; and Immediate Execution During Testing in hoverfly_service.go line 173. This allows an attacker to gain remote code execution (RCE) on any system running the vulnerable Hoverfly service. Since the input is directly passed to system commands without proper checks, an attacker can upload a malicious payload or directly execute arbitrary commands (including reverse shells) on the host server with the privileges of the Hoverfly process. Commit 17e60a9bc78826deb4b782dca1c1abd3dbe60d40 in version 1.12.0 disables the set middleware API by default, and subsequent changes to documentation make users aware of the security changes of exposing the set middleware API.

CWE类型:
CWE-20 CWE-78
标签:
(暂无数据)
受影响产品
厂商 产品 版本 版本范围 平台 CPE
SpectoLabs hoverfly <= 1.11.3 - - cpe:2.3:a:spectolabs:hoverfly:<=_1.11.3:*:*:*:*:*:*:*
hoverfly hoverfly * - - cpe:2.3:a:hoverfly:hoverfly:*:*:*:*:*:*:*:*
解决方案
中文解决方案:
(暂无数据)
英文解决方案:
(暂无数据)
临时解决方案:
(暂无数据)
参考链接
https://github.com/SpectoLabs/hoverfly/security/advisories/GHSA-r4h8-hfp2-ggmf x_refsource_CONFIRM
cve.org
访问
https://github.com/SpectoLabs/hoverfly/commit/17e60a9bc78826deb4b782dca1c1abd3dbe60d40 x_refsource_MISC
cve.org
访问
https://github.com/SpectoLabs/hoverfly/commit/a9d4da7bd7269651f54542ab790d0c613d568d3e x_refsource_MISC
cve.org
访问
https://github.com/SpectoLabs/hoverfly/blob/master/core/hoverfly_service.go#L173 x_refsource_MISC
cve.org
访问
https://github.com/SpectoLabs/hoverfly/blob/master/core/middleware/local_middleware.go#L13 x_refsource_MISC
cve.org
访问
https://github.com/SpectoLabs/hoverfly/blob/master/core/middleware/middleware.go#L93 x_refsource_MISC
cve.org
访问
CVSS评分详情
3.1 (cna)
CRITICAL
9.8
CVSS向量: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
机密性
HIGH
完整性
HIGH
可用性
HIGH
时间信息
发布时间:
2025-09-10 18:41:46
修改时间:
2025-09-10 19:48:59
创建时间:
2025-11-11 15:40:42
更新时间:
2025-11-11 16:00:10
利用信息
暂无可利用代码信息
数据源详情
数据源 记录ID 版本 提取时间
CVE cve_CVE-2025-54123 2025-11-11 15:23:28 2025-11-11 07:40:42
NVD nvd_CVE-2025-54123 2025-11-11 15:01:02 2025-11-11 07:48:29
CNNVD cnnvd_CNNVD-202509-1491 2025-11-11 15:12:56 2025-11-11 08:00:10
版本与语言
当前版本: v3
主要语言: EN
支持语言:
EN ZH
安全公告
暂无安全公告信息
变更历史
v3 CNNVD
2025-11-11 16:00:10
vulnerability_type: 未提取 → 其他; cnnvd_id: 未提取 → CNNVD-202509-1491; data_sources: ['cve', 'nvd'] → ['cnnvd', 'cve', 'nvd']
查看详细变更
  • vulnerability_type: 未提取 -> 其他
  • cnnvd_id: 未提取 -> CNNVD-202509-1491
  • data_sources: ['cve', 'nvd'] -> ['cnnvd', 'cve', 'nvd']
v2 NVD
2025-11-11 15:48:29
affected_products_count: 1 → 2; data_sources: ['cve'] → ['cve', 'nvd']
查看详细变更
  • affected_products_count: 1 -> 2
  • data_sources: ['cve'] -> ['cve', 'nvd']