Hoverfly Command Injection Vulnerability in Middleware API Endpoint Allowing Remote Code Execution

A command injection vulnerability has been identified in Hoverfly, an open-source API simulation tool, in versions through 1.11.3. The issue arises in the middleware management API endpoint '/api/v2/hoverfly/middleware', where insufficient validation and sanitization of user input create a command injection risk. This vulnerability allows an attacker to execute arbitrary commands, including reverse shells, on the host system with the privileges of the Hoverfly process.

Impact

Exploitation of this vulnerability leads to remote code execution on the affected system, with the executed commands running under the privileges of the Hoverfly process.

Reproduction

To reproduce this vulnerability, send an HTTP PUT request to the '/api/v2/hoverfly/middleware' endpoint with a payload that includes a malicious script or command. Hoverfly will execute the command with its process privileges, allowing for actions such as uploading a reverse shell payload or executing arbitrary commands on the host server.

Remediation

Users can update to Hoverfly version 1.12.0 or later, where this vulnerability is addressed by disabling the middleware API by default. For those using version 1.12.0, the middleware API can be enabled by adding the flag '--enable-middleware-api' when starting Hoverfly or via the command 'hoverctl start --enable-middleware-api'.