CVE-2025-54123
Published: 10 September 2025
Summary
CVE-2025-54123 is a critical-severity Improper Input Validation (CWE-20) vulnerability in Hoverfly Hoverfly. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 2.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-10 (Information Input Validation).
Deeper analysis
Hoverfly, an open source API simulation tool, contains a command injection vulnerability in versions 1.11.3 and earlier. The flaw resides in the middleware management endpoint at /api/v2/hoverfly/middleware and stems from insufficient input validation in middleware.go combined with unsafe command execution in local_middleware.go and immediate execution logic in hoverfly_service.go. This allows unauthenticated remote attackers to supply crafted input that is passed directly to system commands.
An attacker with network access to the vulnerable endpoint can upload malicious payloads or execute arbitrary commands, including reverse shells, under the privileges of the Hoverfly process. The issue carries a CVSS score of 9.8 and maps to CWE-20 and CWE-78, reflecting the absence of authentication or sanitization on a remotely reachable API.
The fix in version 1.12.0, introduced via commit 17e60a9bc78826deb4b782dca1c1abd3dbe60d40, disables the set-middleware API by default and updates documentation to highlight the security implications of exposing it. The EPSS score rose from a low baseline to a peak of 0.6294, indicating that exploitation interest increased after public disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-27608
Vulnerability details
Hoverfly is an open source API simulation tool. In versions 1.11.3 and prior, the middleware functionality in Hoverfly is vulnerable to command injection vulnerability at `/api/v2/hoverfly/middleware` endpoint due to insufficient validation and sanitization in user input. The vulnerability exists in…
more
the middleware management API endpoint `/api/v2/hoverfly/middleware`. This issue is born due to combination of three code level flaws: Insufficient Input Validation in middleware.go line 94-96; Unsafe Command Execution in local_middleware.go line 14-19; and Immediate Execution During Testing in hoverfly_service.go line 173. This allows an attacker to gain remote code execution (RCE) on any system running the vulnerable Hoverfly service. Since the input is directly passed to system commands without proper checks, an attacker can upload a malicious payload or directly execute arbitrary commands (including reverse shells) on the host server with the privileges of the Hoverfly process. Commit 17e60a9bc78826deb4b782dca1c1abd3dbe60d40 in version 1.12.0 disables the set middleware API by default, and subsequent changes to documentation make users aware of the security changes of exposing the set middleware API.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated command injection in exposed middleware API directly enables RCE on public-facing service (T1190) and arbitrary OS command execution (T1059).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses the CVE by requiring timely flaw remediation through upgrading to Hoverfly version 1.12.0, which disables the vulnerable middleware API by default.
Mandates validation and sanitization of user-supplied inputs to the /api/v2/hoverfly/middleware endpoint to block command injection payloads.
Enforces least functionality by restricting or disabling the unnecessary middleware API endpoint, preventing exposure to command injection exploits.