| عنوان | NousResearch hermes-agent 2026.4.23 Injection (CWE-74) |
|---|
| الوصف | # Technical Details
A zero-click context-file injection scanner regex bypass exists in the `_scan_context_content()` method in `agent/prompt_builder.py` of hermes-agent.
The application fails to align duplicate regex scanning patterns for threat detection, utilizing an outdated iteration of the scanner regex `ignore\s+(previous|all|above|prior)\s+instructions` that does not account for intervening words.
# Vulnerable Code
File: agent/prompt_builder.py
Method: _scan_context_content()
Why: The first matched pattern captures a single keyword before `\s+instructions`. If an attacker adds another qualifier (e.g., `ignore all prior instructions`), the alternation fails since `prior` doesn't directly precede `instructions`. This bypasses the prompt injection scanner, returning false negatives.
# Reproduction
1. Clone an attacker-provided repository containing a poisoned contextual file (e.g., `AGENTS.md`) using the string `ignore all prior instructions`.
2. Initiate `hermes` or `hermes-agent` within the repository directory.
3. The context auto-loader parses the file, scanning it using the flawed regex which returns clear.
4. The LLM immediately adopts and acts upon the maliciously injected system prompt context.
# Impact
- Zero-click full prompt-override primitive upon initializing the hermes assistant in an attacker-controlled directory.
- Can be exploited to orchestrate execution sequences chaining tool usage such as `terminal`, `write_file`, and network endpoints. |
|---|
| المصدر | ⚠️ https://gist.github.com/YLChen-007/581fd92de5548fbaacb2092e848a75cc |
|---|
| المستخدم | Eric-i (UID 97584) |
|---|
| ارسال | 24/04/2026 03:01 PM (1 شهر منذ) |
|---|
| الاعتدال | 23/05/2026 12:33 PM (29 days later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 365329 [NousResearch hermes-agent 2026.4.23 agent/prompt_builder.py _scan_context_content تجاوز الصلاحيات] |
|---|
| النقاط | 20 |
|---|