Two vulnerabilities identified in Hoverfly affect the Diff Mode processing mechanism due to an unsynchronized concurrent write operation in the shared responsesDiff map. When multiple proxy requests are processed simultaneously, race conditions can occur, potentially causing the Hoverfly process to crash and resulting in denial-of-service conditions. The issues are caused by improper handling of concurrent access and have been addressed in a patched release.
CVE-2026-50013 (CVSS 7.5 — High): A race condition vulnerability in Hoverfly Diff mode allows concurrent requests to trigger unsynchronized access to the responsesDiff map, causing a fatal Go runtime crash and resulting in a complete denial-of-service condition.[/subscribe_to_unlock_form]
Two vulnerabilities identified in Hoverfly affect the Diff Mode processing mechanism due to an unsynchronized concurrent write operation in the shared responsesDiff map. When multiple proxy requests are processed simultaneously, race conditions can occur, potentially causing the Hoverfly process to crash and resulting in denial-of-service conditions. The issues are caused by improper handling of concurrent access and have been addressed in a patched release.
CVE-2026-50013 (CVSS 7.5 — High): A race condition vulnerability in Hoverfly Diff mode allows concurrent requests to trigger unsynchronized access to the responsesDiff map, causing a fatal Go runtime crash and resulting in a complete denial-of-service condition.[emaillocker id="1283"]
CVE-2026-50018 (CVSS 6.5 — Medium): A goroutine leak vulnerability in Hoverfly remote post-serve actions allows attackers to exhaust system resources by triggering unlimited blocking goroutines through unresponsive remote endpoints, potentially causing memory exhaustion and denial-of-service (DoS).
We recommend you to update github.com/SpectoLabs/hoverfly to version 1.12.10 or later.
The following reports contain further technical details:
[/emaillocker]