CVE-2024-45388
published 2024-09-02CVE-2024-45388: Hoverfly is a lightweight service virtualization/ API simulation / API mocking tool for developers and testers. The `/api/v2/simulation` POST handler allows…
PriorityP183high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
55.86%
98.9th percentile
Hoverfly is a lightweight service virtualization/ API simulation / API mocking tool for developers and testers. The `/api/v2/simulation` POST handler allows users to create new simulation views from the contents of a user-specified file. This feature can be abused by an attacker to read arbitrary files from the Hoverfly server. Note that, although the code prevents absolute paths from being specified, an attacker can escape out of the `hf.Cfg.ResponsesBodyFilesPath` base path by using `../` segments and reach any arbitrary files. This issue was found using the Uncontrolled data used in path expression CodeQL query for python. Users are advised to make sure the final path (`filepath.Join(hf.Cfg.ResponsesBodyFilesPath, filePath)`) is contained within the expected base path (`filepath.Join(hf.Cfg.ResponsesBodyFilesPath, "/")`). This issue is also tracked as GHSL-2023-274.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | spectolabs_hoverfly | >= 0 < 1.10.3 | 1.10.3 |
| hoverfly | hoverfly | < 1.10.3 | 1.10.3 |
| spectolabs | hoverfly | < 1.10.3 | 1.10.3 |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS Hoverfly Arbitrary File Read via Traversal Attempt Inbound (CVE-2024-45388)"; flow:established,to_server; http.uri; content:"/api/v2/simulation"; fast_pattern; http.request_body; content:"|22|bodyFile|22 3a 20 22|"; pcre:"/^.{0,10}(?:(?:\x2e|%2[Ee]){1,}(?:(?:\x2f|%2[Ee])|(?:\x5c|%5[Cc]))){2,}/R"; reference:cve,2024-45388; classtype:web-application-attack; sid:2055977; rev:1; metadata:affected_product Hoverfly, attack_target Server, created_at 2024_09_19, cve CVE_2024_45388, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2024_09_19, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)- →Exploit payload targets the PUT /api/v2/simulation endpoint with a JSON body containing a 'bodyFile' key set to a path-traversal string (e.g., ../../../../../../../etc/passwd). Match on HTTP method PUT or POST to this URI combined with 'bodyFile' in the request body. ↗
- →Successful exploitation response contains both 'root:.*:0:0:' (passwd file content) and the string 'hoverflyVersion' in a 200 OK JSON response with Content-Type: application/json. ↗
- →Path traversal uses `../` segments to escape the ResponsesBodyFilesPath base directory. The Snort PCRE matches dot-encoded or percent-encoded traversal sequences (e.g., %2e%2e%2f) in the bodyFile value immediately following the JSON key. ↗
- →Hoverfly instances exposed on the internet can be identified via Shodan using the favicon hash 1357234275 to scope detection or hunting. ↗
- ·The vulnerability only exists in Hoverfly versions prior to 1.10.3. The path traversal is possible because absolute paths are blocked but relative `../` sequences are not sanitized against the ResponsesBodyFilesPath base path. ↗
- ·The Nuclei template uses the PUT HTTP method against /api/v2/simulation, while the CVE description references the POST handler — detection rules should cover both PUT and POST methods on this endpoint. ↗
- ·The exploit requires no authentication (PR:N), making it exploitable by unauthenticated remote attackers against any network-accessible Hoverfly instance. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Hoverfly allows an arbitrary file read in the `/api/v2/simulation` endpoint (`GHSL-2023-274`) in github.com/SpectoLabs/hoverfly
osv·2024-09-06
CVE-2024-45388 Hoverfly allows an arbitrary file read in the `/api/v2/simulation` endpoint (`GHSL-2023-274`) in github.com/SpectoLabs/hoverfly
Hoverfly allows an arbitrary file read in the `/api/v2/simulation` endpoint (`GHSL-2023-274`) in github.com/SpectoLabs/hoverfly
Hoverfly allows an arbitrary file read in the `/api/v2/simulation` endpoint (`GHSL-2023-274`) in github.com/SpectoLabs/hoverfly
OSV
Hoverfly allows an arbitrary file read in the `/api/v2/simulation` endpoint (`GHSL-2023-274`)
osv·2024-09-03
CVE-2024-45388 [HIGH] Hoverfly allows an arbitrary file read in the `/api/v2/simulation` endpoint (`GHSL-2023-274`)
Hoverfly allows an arbitrary file read in the `/api/v2/simulation` endpoint (`GHSL-2023-274`)
### Details
The `/api/v2/simulation` [POST handler](https://github.com/spectolabs/hoverfly/blob/15d6ee9ea4e0de67aec5a41c28d21dc147243da0/core/handlers/v2/simulation_handler.go#L87) allows users to create new simulation views from the contents of a user-specified file. This feature can be abused by an attacker to read arbitrary files from the Hoverfly server.
```go
# https://github.com/spectolabs/hoverfly/blob/15d6ee9ea4e0de67aec5a41c28d21dc147243da0/core/hoverfly_funcs.go#L186
func (hf *Hoverfly) readResponseBodyFile(filePath string) (string, error) {
if filepath.IsAbs(filePath) {
return "", fmt.Errorf("bodyFile contains absolute path (%s). only relative is supported", filePath)
}
fileContents
GHSA
Hoverfly allows an arbitrary file read in the `/api/v2/simulation` endpoint (`GHSL-2023-274`)
ghsa·2024-09-03
CVE-2024-45388 [HIGH] CWE-200 Hoverfly allows an arbitrary file read in the `/api/v2/simulation` endpoint (`GHSL-2023-274`)
Hoverfly allows an arbitrary file read in the `/api/v2/simulation` endpoint (`GHSL-2023-274`)
### Details
The `/api/v2/simulation` [POST handler](https://github.com/spectolabs/hoverfly/blob/15d6ee9ea4e0de67aec5a41c28d21dc147243da0/core/handlers/v2/simulation_handler.go#L87) allows users to create new simulation views from the contents of a user-specified file. This feature can be abused by an attacker to read arbitrary files from the Hoverfly server.
```go
# https://github.com/spectolabs/hoverfly/blob/15d6ee9ea4e0de67aec5a41c28d21dc147243da0/core/hoverfly_funcs.go#L186
func (hf *Hoverfly) readResponseBodyFile(filePath string) (string, error) {
if filepath.IsAbs(filePath) {
return "", fmt.Errorf("bodyFile contains absolute path (%s). only relative is supported", filePath)
}
fileContents
VulnCheck
hoverfly hoverfly Exposure of Sensitive Information to an Unauthorized Actor
vulncheck·2024·CVSS 7.5
CVE-2024-45388 [HIGH] hoverfly hoverfly Exposure of Sensitive Information to an Unauthorized Actor
hoverfly hoverfly Exposure of Sensitive Information to an Unauthorized Actor
Hoverfly is a lightweight service virtualization/ API simulation / API mocking tool for developers and testers. The `/api/v2/simulation` POST handler allows users to create new simulation views from the contents of a user-specified file. This feature can be abused by an attacker to read arbitrary files from the Hoverfly server. Note that, although the code prevents absolute paths from being specified, an attacker can escape out of the `hf.Cfg.ResponsesBodyFilesPath` base path by using `../` segments and reach any arbitrary files. This issue was found using the Uncontrolled data used in path expression CodeQL query for python. Users are advised to make sure the final path (`filepath.Join(hf.Cfg.ResponsesBodyFilesP
Suricata
ET WEB_SPECIFIC_APPS Hoverfly Arbitrary File Read via Traversal Attempt Inbound (CVE-2024-45388)
suricata·2024-09-19·CVSS 7.5
CVE-2024-45388 [HIGH] ET WEB_SPECIFIC_APPS Hoverfly Arbitrary File Read via Traversal Attempt Inbound (CVE-2024-45388)
ET WEB_SPECIFIC_APPS Hoverfly Arbitrary File Read via Traversal Attempt Inbound (CVE-2024-45388)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS Hoverfly Arbitrary File Read via Traversal Attempt Inbound (CVE-2024-45388)"; flow:established,to_server; http.uri; content:"/api/v2/simulation"; fast_pattern; http.request_body; content:"|22|bodyFile|22 3a 20 22|"; pcre:"/^.{0,10}(?:(?:\x2e|%2[Ee]){1,}(?:(?:\x2f|%2[Ee])|(?:\x5c|%5[Cc]))){2,}/R"; reference:cve,2024-45388; classtype:web-application-attack; sid:2055977; rev:1; metadata:affected_product Hoverfly, attack_target Server, created_at 2024_09_19, cve CVE_2024_45388, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2024_09_19, mitre_tactic_id
Nuclei
Hoverfly < 1.10.3 - Arbitrary File Read
nuclei·CVSS 7.5
CVE-2024-45388 [HIGH] Hoverfly < 1.10.3 - Arbitrary File Read
Hoverfly < 1.10.3 - Arbitrary File Read
Hoverfly is a lightweight service virtualization/ API simulation / API mocking tool for developers and testers. The /api/v2/simulation POST handler allows users to create new simulation views from the contents of a user-specified file. This feature can be abused by an attacker to read arbitrary files from the Hoverfly server.
Template:
id: CVE-2024-45388
info:
name: Hoverfly < 1.10.3 - Arbitrary File Read
author: iamnoooob,rootxharsh,pdresearch
severity: high
description: |
Hoverfly is a lightweight service virtualization/ API simulation / API mocking tool for developers and testers. The /api/v2/simulation POST handler allows users to create new simulation views from the contents of a user-specified file. This feature can be abused by an attacker
Greynoiseio
NoiseLetter October 2025
blogs_greynoiseio
NoiseLetter October 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
arXiv
PATCHEVAL: A New Benchmark for Evaluating LLMs on Patching Real-World Vulnerabilities
arxiv_fulltext·2025-11-14
PATCHEVAL: A New Benchmark for Evaluating LLMs on Patching Real-World Vulnerabilities
: A New Benchmark for Evaluating LLMs on Patching
Real-World Vulnerabilities
Zichao Wei^1 *, Jun Zeng^2+, Ming Wen^1 +, Zeliang Yu^1 , Kai Cheng^1, Yiding Zhu^1,
Jingyi Guo^1, Shiqi Zhou^2, Le Yin^2, Xiaodong Su^2, Zhechao Ma^2 \ 0.2em]
^1Huazhong University of Science and Technology ^2ByteDance
footnote
[1]Work done as an intern in ByteDance. ^+Corresponding author.
3pt^ National Engineering Research Center for Big Data Technology and System, Services Computing Technology and System Lab,
Hubei Engineering Research Center on Big Data Security, Hubei Key Laboratory of Distributed System Security, School of Cyber Science and Engineering, HUST, China.
empty
### Abstract
Software vulnerabilities are increasing at an alarming rate.
However, manual patching is both time-consuming and res
https://codeql.github.com/codeql-query-help/go/go-path-injectionhttps://github.com/SpectoLabs/hoverfly/releases/tag/v1.10.3https://github.com/SpectoLabs/hoverfly/security/advisories/GHSA-6xx4-x46f-f897https://github.com/spectolabs/hoverfly/blob/15d6ee9ea4e0de67aec5a41c28d21dc147243da0/core/handlers/v2/simulation_handler.go#L87
2024-09-02
Published
Exploited in the wild