Enviar #812230: NousResearch hermes-agent 2026.4.23 Incorrect Comparison (CWE-697)información

TítuloNousResearch hermes-agent 2026.4.23 Incorrect Comparison (CWE-697)
Descripción# Technical Details A Remote Code Execution vulnerability via configuration bypass exists in the `_discover_dashboard_plugins()` method in `hermes_cli/web_server.py` of hermes-agent. The application fails to safely parse boolean environment variables when authenticating project plugins (specifically `HERMES_ENABLE_PROJECT_PLUGINS`), evaluating non-empty opt-out strings like `false` as Python `True` truthy contexts rather than utilizing the secure `utils.env_var_enabled` helper. # Vulnerable Code File: hermes_cli/web_server.py Method: _discover_dashboard_plugins() Why: The checking logic fetches raw strings using `os.environ.get("HERMES_ENABLE_PROJECT_PLUGINS")`. Because strings like "false" evaluate correctly under boolean checks, protective disablement settings are flipped. The platform automatically imports and runs custom local plugins using `_mount_plugin_api_routes()`. # Reproduction 1. Ensure the user environment sets `HERMES_ENABLE_PROJECT_PLUGINS=false`. 2. Navigate to an attacker-controlled directory containing malicious dashboard plugins (`.hermes/plugins/<name>/dashboard/manifest.json` pointing to `api.py`). 3. Instantiate the CLI web-dashboard interface via `hermes --web`. 4. The system interprets `false` as enabled, and imports the malicious `api.py` module, immediately executing its remote code context at privilege level. # Impact - Pre-auth Remote Code Execution (RCE). - Users purposefully disabling unsafe plugins directly induce vulnerability triggers when accessing arbitrary repositories.
Fuente⚠️ https://gist.github.com/YLChen-007/062b77ceac6aa9844842a616f5d2ef30
Usuario
 Eric-i (UID 97584)
Sumisión2026-04-24 15:03 (hace 1 mes)
Moderación2026-05-23 12:33 (29 days later)
EstadoAceptado
Entrada de VulDB365332 [NousResearch hermes-agent 2026.4.23 CLI web-dashboard Interface hermes_cli/web_server.py _discover_dashboard_plugins HERMES_ENABLE_PROJECT_PLUGINS escalada de privilegios]
Puntos20

AnteriorVisión De ConjuntoPróximo

Want to know what is going to be exploited?

We predict KEV entries!