Share
## https://sploitus.com/exploit?id=E68A2130-DA61-5049-B54C-BC1A6944CCBF
# CVE-2025-54123 - Hoverfly Command Injection (RCE)

> PoC CVE-2025-54123 - Middleware Command Injection in Hoverfly

---

## ๐Ÿ“Œ CVE Details

* **ID**: CVE-2025-54123
* **Type**: Command Injection / Remote Code Execution (RCE)
* **Vendor**: Hoverfly
* **Impact**: Allows authenticated attackers to execute arbitrary system commands via the middleware API endpoint.
* **Affected Versions**: Hoverfly โ‰ค 1.11.3
* **More Info**:
	* [GHSA-r4h8-hfp2-ggmf](https://github.com/advisories/GHSA-r4h8-hfp2-ggmf)
	* [NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-54123]

---

## โš™๏ธ Description

This exploit targets a critical vulnerability in **Hoverfly**, specifically in the `/api/v2/hoverfly/middleware` endpoint.

The issue arises due to **insufficient validation of user-supplied input**, where the `script` parameter is passed to a system binary (e.g., `/bin/bash`) without proper sanitization.

An authenticated attacker can send a crafted request containing arbitrary commands, which are then executed on the underlying system.

This results in **Remote Command Execution (RCE)** and may lead to full system compromise.

---

## ๐Ÿš€ Usage

### ๐Ÿ”ง Requirements

* `curl`

---

### ๐Ÿ“ฅ Installation

```bash
git clone https://github.com/your-repo/CVE-2025-54123
```

```bash
cd CVE-2025-54123
```

```bash
chmod +x CVE-2025-54123.sh
```

---

### ๐Ÿงช Help Panel

```bash
./CVE-2025-54123.sh -h

[?] Parameters description:

	-t    Target base URL (e.g., http://target:8888)
	-u    Valid username
	-p    Valid password
	-c    Command to execute (must be enclosed in quotes)
	-h    Show this help panel

[i] Example:
./CVE-2025-54123.sh -t http://target.com:8888 -u admin -p password -c "id"
```

---

## ๐Ÿง  Technical Summary

* The middleware API allows execution of external scripts.
* User-controlled input is passed via the `script` parameter.
* No proper sanitization is applied before execution.
* The backend executes the input using a specified binary (e.g., `/bin/bash`).
* This allows arbitrary command execution.

---

## โš ๏ธ Notes

* Authentication is required to obtain a valid token.
* Multiple failed authentication attempts may trigger temporary blocking depending on internal configuration.
* Behavior may vary depending on deployment (e.g., Docker vs native).

---

## โš ๏ธ Disclaimer

This exploit is intended for **educational and authorized security testing purposes only**.

Do **NOT** use this against systems without explicit permission. Unauthorized access may be illegal.

The author assumes **no responsibility** for misuse or any damage caused.