| عنوان | NousResearch hermes-agent 2026.4.16 Improper Privilege Management (CWE-269) |
|---|
| الوصف | # Technical Details
Unrestricted host code execution and credential leakage exists in the `execute_code()` method in `tools/code_execution_tool.py` of hermes-agent.
The application fails to apply dangerous-command approval paths or comprehensively scrub subprocess environment variables, utilizing a substring-based blocklist (`_SECRET_SUBSTRINGS`) that omits many standard credential naming implementations and using excessive passthrough prefixes (`HERMES_*`).
# Vulnerable Code
File: tools/code_execution_tool.py
Method: execute_code()
Why: The code spawns python executions directly through `subprocess.Popen()` without requesting evaluations via the default standard `_check_all_guards()` mechanism seen in terminal operations. Additionally, variables without substring match definitions in `_SECRET_SUBSTRINGS` (i.e., `DATABASE_URL`) are leaked into the executing subprocess scope.
# Reproduction
1. Through prompt injection or interaction, induce the Agent to run python payloads via `execute_code`.
2. The payload accesses and iterates over `os.environ`.
3. Secrets mapping to unsupported namespaces (e.g., `DATABASE_URL`, `SLACK_WEBHOOK`, `AWS_ACCESS_ID`) are accessed in plaintext.
4. The payload natively requests the internet directly downloading malicious resources, completely unprompted.
# Impact
- Arbitrary Python code execution on the host without interactive confirmation.
- Subprocess environmental credential leakage allowing attackers to remotely exfiltrate sensitive data. |
|---|
| المصدر | ⚠️ https://gist.github.com/YLChen-007/43c72d19668421abe8ce10f299323a0a |
|---|
| المستخدم | Eric-i (UID 97584) |
|---|
| ارسال | 24/04/2026 03:02 PM (1 شهر منذ) |
|---|
| الاعتدال | 23/05/2026 12:33 PM (29 days later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 365331 [NousResearch hermes-agent حتى 2026.4.16 Environment Variable code_execution_tool.py execute_code تجاوز الصلاحيات] |
|---|
| النقاط | 20 |
|---|