Cyber Posture

CVE-2025-54123

CriticalPublic PoCRCE

Published: 10 September 2025

Published
10 September 2025
Modified
17 September 2025
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.5814 98.2th percentile
Risk Priority 54 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-54123 is a critical-severity Improper Input Validation (CWE-20) vulnerability in Hoverfly Hoverfly. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly addresses the CVE by requiring timely flaw remediation through upgrading to Hoverfly version 1.12.0, which disables the vulnerable middleware API by default.

SI-10 Information Input Validation good match
prevent

Mandates validation and sanitization of user-supplied inputs to the /api/v2/hoverfly/middleware endpoint to block command injection payloads.

CM-7 Least Functionality good match
prevent

Enforces least functionality by restricting or disabling the unnecessary middleware API endpoint, preventing exposure to command injection exploits.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
attack.mitre.org →
Why these techniques?

Unauthenticated command injection in exposed middleware API directly enables RCE on public-facing service (T1190) and arbitrary OS command execution (T1059).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Hoverfly is an open source API simulation tool. In versions 1.11.3 and prior, the middleware functionality in Hoverfly is vulnerable to command injection vulnerability at `/api/v2/hoverfly/middleware` endpoint due to insufficient validation and sanitization in user input. The vulnerability exists in…

more

the middleware management API endpoint `/api/v2/hoverfly/middleware`. This issue is born due to combination of three code level flaws: Insufficient Input Validation in middleware.go line 94-96; Unsafe Command Execution in local_middleware.go line 14-19; and Immediate Execution During Testing in hoverfly_service.go line 173. This allows an attacker to gain remote code execution (RCE) on any system running the vulnerable Hoverfly service. Since the input is directly passed to system commands without proper checks, an attacker can upload a malicious payload or directly execute arbitrary commands (including reverse shells) on the host server with the privileges of the Hoverfly process. Commit 17e60a9bc78826deb4b782dca1c1abd3dbe60d40 in version 1.12.0 disables the set middleware API by default, and subsequent changes to documentation make users aware of the security changes of exposing the set middleware API.

Deeper analysisAI

CVE-2025-54123 is a command injection vulnerability in Hoverfly, an open source API simulation tool, affecting versions 1.11.3 and prior. The flaw resides in the middleware functionality exposed via the `/api/v2/hoverfly/middleware` endpoint, stemming from three code-level issues: insufficient input validation in middleware.go (lines 94-96), unsafe command execution in local_middleware.go (lines 14-19), and immediate execution during testing in hoverfly_service.go (line 173). This allows user-supplied input to be passed directly to system commands without sanitization, enabling remote code execution (RCE) on the host system running the vulnerable Hoverfly service. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-20 (Improper Input Validation) and CWE-78 (OS Command Injection).

The vulnerability can be exploited by any unauthenticated attacker with network access to the Hoverfly service, as it requires no privileges (PR:N). By sending a malicious payload to the middleware endpoint, an attacker can execute arbitrary system commands, including uploading payloads or spawning reverse shells, all with the privileges of the Hoverfly process. This grants high-impact control over confidentiality, integrity, and availability on the affected system.

Mitigation is addressed in Hoverfly version 1.12.0 via commit 17e60a9bc78826deb4b782dca1c1abd3dbe60d40, which disables the set middleware API by default, alongside subsequent documentation updates in commit a9d4da7bd7269651f54542ab790d0c613d568d3e to highlight the security implications of exposing this API. Security practitioners should upgrade to version 1.12.0 or later and review configurations to ensure the middleware API is not unnecessarily enabled. Relevant code references are available at the project's GitHub repository.

Details

CWE(s)
CWE-20CWE-78

Affected Products

hoverfly
hoverfly
≤ 1.12.0

CVEs Like This One

CVE-2026-21893Shared CWE-20, CWE-78
CVE-2025-8876Shared CWE-20, CWE-78
CVE-2026-25108Shared CWE-78
CVE-2026-1345Shared CWE-78
CVE-2025-56590Shared CWE-78
CVE-2025-64126Shared CWE-78
CVE-2026-29607Shared CWE-78
CVE-2025-41684Shared CWE-78
CVE-2025-23316Shared CWE-78
CVE-2025-57457Shared CWE-78

References