x/vulndb: potential Go vuln in github.com/SpectoLabs/hoverfly: GHSA-r4h8-hfp2-ggmf #3944
Description
Advisory GHSA-r4h8-hfp2-ggmf references a vulnerability in the following Go modules:
| Module |
|---|
| github.com/SpectoLabs/hoverfly |
Description:
Summary
It has been discovered that the middleware functionality in Hoverfly is vulnerable to command injection through its /api/v2/hoverfly/middleware endpoint due to insufficient validation and sanitization in user input.
Details
The vulnerability exists in the middleware management API endpoint /api/v2/hoverfly/middleware.
This issue is born due to combination of three code level flaws:
- Insufficient Input Validation in middleware.go line 94-96:
func (this *Middleware) SetBinary(bi...
References:
- ADVISORY: https://github.com/SpectoLabs/hoverfly/security/advisories/GHSA-r4h8-hfp2-ggmf
- ADVISORY: https://github.com/advisories/GHSA-r4h8-hfp2-ggmf
- FIX: https://github.com/SpectoLabs/hoverfly/pull/1203
Cross references:
- github.com/SpectoLabs/hoverfly appears in 1 other report(s):
- data/reports/GO-2024-3108.yaml (https://github.com/golang/vulndb/issues/3108)
See [doc/quickstart.md](https://github.com/golang/vulndb/blob/master/doc/quickstart.md) for instructions on how to triage this report.
id: GO-ID-PENDING
modules:
- module: github.com/SpectoLabs/hoverfly
vulnerable_at: 1.12.0
summary: |-
Hoverfly is vulnerable to Remote Code Execution through an insecure middleware
implementation in github.com/SpectoLabs/hoverfly
cves:
- CVE-2025-54123
ghsas:
- GHSA-r4h8-hfp2-ggmf
references:
- advisory: GHSA-r4h8-hfp2-ggmf
- advisory: GHSA-r4h8-hfp2-ggmf
- fix: SpectoLabs/hoverfly#1203
source:
id: GHSA-r4h8-hfp2-ggmf
created: 2025-09-10T20:01:18.052673593Z
review_status: UNREVIEWED