Hoverfly is an open source API simulation tool. In versions 1.11.3 and prior, Hoverfly’s admin WebSocket endpoint /api/v2/ws/logs is not protected by the same authentication middleware that guards the REST admin API. Consequently, an unauthenticated remote attacker can stream real-time application logs (information disclosure) and/or gain insight into internal file paths, request/response bodies, and other potentially sensitive data emitted in logs. Version 1.12.0 contains a fix for the issue.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/54xxx/CVE-2025-54376.json",
"cwe_ids": [
"CWE-200",
"CWE-287"
],
"cna_assigner": "GitHub_M"
}{
"extracted_events": [
{
"introduced": "0"
},
{
"fixed": "1.12.0"
}
],
"source": [
"CPE_RANGE",
"REFERENCES"
],
"cpe": "cpe:2.3:a:hoverfly:hoverfly:*:*:*:*:*:*:*:*"
}