Hoverfly vulnerable to remote code execution at `/api/v2/hoverfly/middleware` endpoint due to insecure middleware implementation

CVE-2025-54123 is a critical vulnerability in Hoverfly, an open source API simulation tool, that enables remote code execution via the /api/v2/hoverfly/middleware endpoint. The root cause is a combination of three flaws in the codebase: insufficient input validation in middleware.go (lines 94-96), where the Binary field is set without sanitization; unsafe command execution in local_middleware.go (lines 14-19), where user-supplied binary and script names are passed directly to exec.Command; and immediate execution during middleware validation in hoverfly_service.go (line 173), which triggers the command without proper checks [1][2][3].

An attacker can exploit this by sending a PUT request to the vulnerable endpoint with a malicious payload, such as a bash command or script. The Hoverfly service writes the script to a temporary file and executes it via /bin/bash /tmp/{hoverfly_script} during middleware validation. This attack requires network access to the Hoverfly admin API (default port 8888) and can be performed with no authentication if the API is exposed [2].

The impact is severe, as an attacker can execute arbitrary commands, deploy reverse shells, or compromise the host server with the privileges of the Hoverfly process. This could lead to full system compromise, data exfiltration, or further lateral movement within the network [1][2].

The fix was implemented in commit 17e60a9bc78826deb4b782dca1c1abd3dbe60d40 and released in version 1.12.0, which disables the set middleware API by default. Users must explicitly enable it using the --enable-middleware-api flag if needed. Organizations are strongly advised to upgrade to Hoverfly 1.12.0 or later and avoid exposing the admin API to untrusted networks [1][4].