{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/hoverfly--1.12.7/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Hoverfly (\u003c= 1.12.7)"],"_cs_severities":["medium"],"_cs_tags":["race-condition","denial-of-service","go-lang"],"_cs_type":"advisory","_cs_vendors":["SpectoLabs"],"content_html":"\u003cp\u003eHoverfly, a lightweight service virtualization tool, is affected by CVE-2026-50013, a high-severity denial-of-service vulnerability. This flaw exists specifically when Hoverfly is operating in its \u0026quot;Diff mode.\u0026quot; The vulnerability stems from an unsynchronized write operation to the internal \u003ccode\u003eresponsesDiff\u003c/code\u003e map within the \u003ccode\u003eAddDiff()\u003c/code\u003e function. When multiple HTTP proxy requests are handled concurrently - a common scenario for any proxy - multiple goroutines attempt to modify this shared map simultaneously without proper locking mechanisms (such as a mutex). Go's runtime environment, designed to detect such concurrent map accesses, triggers a \u003ccode\u003efatal error: concurrent map read and map write\u003c/code\u003e. This unrecoverable error immediately terminates the entire Hoverfly process. The vulnerability is trivial to exploit; any attacker with network access to the Hoverfly proxy port can initiate a denial-of-service simply by sending multiple simultaneous requests, causing the application to crash. Affected versions include Hoverfly v1.12.7 and earlier, impacting any organization utilizing Diff mode for API comparison or testing.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains network access to a running Hoverfly proxy instance.\u003c/li\u003e\n\u003cli\u003eThe Hoverfly instance is explicitly configured to operate in \u0026quot;Diff mode.\u0026quot;\u003c/li\u003e\n\u003cli\u003eThe attacker sends multiple, concurrent HTTP proxy requests through the Hoverfly instance, targeting any upstream URL.\u003c/li\u003e\n\u003cli\u003eEach concurrent request processed by Hoverfly triggers a separate goroutine to invoke the \u003ccode\u003eAddDiff()\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eInside \u003ccode\u003eAddDiff()\u003c/code\u003e, these multiple goroutines attempt to perform unsynchronized read and write operations on the shared \u003ccode\u003eresponsesDiff\u003c/code\u003e map.\u003c/li\u003e\n\u003cli\u003eGo's runtime environment detects the concurrent map read and write conflict, identifying a critical race condition.\u003c/li\u003e\n\u003cli\u003eThe Go runtime explicitly executes a \u003ccode\u003efatal error: concurrent map read and map write\u003c/code\u003e due to its built-in race detection mechanism.\u003c/li\u003e\n\u003cli\u003eThe entire Hoverfly process immediately terminates, resulting in a complete denial of service for all users.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability leads to a full denial of service (DoS) for any Hoverfly instance running in Diff mode. The process terminates immediately upon exploitation and cannot be recovered without a manual restart. The exploitation is trivial, requiring only network access to the proxy port and no specific administrative API access. Because Go's \u003ccode\u003efatal error\u003c/code\u003e mechanism is unrecoverable, the process is unconditionally killed, preventing any programmatic recovery attempts. This affects any team or environment using Hoverfly in Diff mode for tasks such as API comparison or testing, potentially disrupting development pipelines, QA environments, or any other service relying on the proxy. The vulnerability impacts Hoverfly versions up to and including v1.12.7.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-50013 by upgrading Hoverfly to a version that addresses this vulnerability once available.\u003c/li\u003e\n\u003cli\u003eUntil a patch for CVE-2026-50013 is applied, avoid running Hoverfly in \u0026quot;Diff mode\u0026quot; in production or externally exposed environments.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation and firewall rules to restrict access to the Hoverfly proxy port, allowing only trusted IP ranges to connect.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-14T19:22:14Z","date_published":"2026-07-14T19:22:14Z","id":"https://feed.craftedsignal.io/briefs/2026-07-hoverfly-dos/","summary":"Hoverfly, when running in Diff mode, is vulnerable to a denial-of-service condition due to a concurrent map write race condition in the `AddDiff()` function. Multiple proxy requests processed simultaneously cause unsynchronized writes to the shared `responsesDiff` map, triggering Go's built-in race detector and a `fatal error`, which immediately terminates the Hoverfly process. This vulnerability is trivially exploitable by sending multiple concurrent requests to the proxy port, leading to a full denial of service that cannot be recovered without a restart.","title":"Hoverfly Process Crash via Concurrent Map Write Race Condition","url":"https://feed.craftedsignal.io/briefs/2026-07-hoverfly-dos/"}],"language":"en","title":"CraftedSignal Threat Feed - Hoverfly (\u003c= 1.12.7)","version":"https://jsonfeed.org/version/1.1"}