Hoverfly Authentication Bypass Vulnerability in WebSocket Logs Endpoint

An authentication bypass vulnerability has been identified in Hoverfly, an open-source API simulation tool, affecting versions through 1.11.3. The issue arises because the admin WebSocket endpoint '/api/v2/ws/logs' is not secured by the same authentication middleware as the REST admin API. This flaw allows unauthenticated remote attackers to stream real-time application logs, leading to information disclosure. Attackers could also gain insights into internal file paths, request and response bodies, and other potentially sensitive data contained in the logs.

Impact

Exploitation of this vulnerability allows for unauthorized access to application logs via the WebSocket endpoint, including sensitive information such as file paths, request and response details, and other private data emitted in the logs. This represents a moderate severity authentication bypass vulnerability, according to GitHub.

Reproduction

To reproduce this vulnerability, start Hoverfly with authentication enabled. After confirming that the REST API requires credentials, connect to the WebSocket endpoint '/api/v2/ws/logs' without any authentication. Once connected, the log stream will begin, disclosing sensitive application information.

Remediation

Users can upgrade to Hoverfly version 1.12.0, which addresses this vulnerability by securing the WebSocket logs endpoint with the appropriate authentication requirements.