| Titre | NousResearch hermes-agent 2026.4.23 Injection (CWE-74) |
|---|
| Description | # Technical Details
A multi-word prompt injection bypass exists in the skills threat detection logic in `agent/skills_guard.py` of hermes-agent.
The application fails to consistently apply flexible whitespace and multi-word matching regex across all threat patterns (`THREAT_PATTERNS`), specifically leaving the "system prompt override" and "new policy" patterns vulnerable to bypass by injecting extraneous filler words.
# Vulnerable Code
File: agent/skills_guard.py
Method: THREAT_PATTERNS definition
Why: While some regex patterns were patched to accommodate multi-word inclusions via `(?:\w+\s+)*`, critical filters like `r'system\s+prompt\s+override'` and `r'new\s+policy'` remain rigid. Injecting words such as `system prompt temporary override` evades the matcher.
# Reproduction
1. Create a malicious skill payload containing the phrase `system prompt temporary override`.
2. Submit the payload to the agent's `skills_guard.py` install process.
3. The regex fails to match the injected threat pattern, leading to the payload being accepted as a safe skill.
4. The system prompt is subsequently overridden implicitly without quarantine.
# Impact
- Evasion of "Critical" severity skill checks, allowing malicious skills to be installed into the workspace.
- Unauthorized manipulation of the agent's execution logic by persistently hijacking future sessions to run arbitrary malicious actions or override policies without detection. |
|---|
| La source | ⚠️ https://gist.github.com/YLChen-007/82a3539d6358842e69dfaef0a9fcf14a |
|---|
| Utilisateur | Eric-i (UID 97584) |
|---|
| Soumission | 24/04/2026 14:43 (il y a 1 mois) |
|---|
| Modérer | 23/05/2026 11:19 (29 days later) |
|---|
| Statut | Accepté |
|---|
| Entrée VulDB | 365316 [NousResearch hermes-agent jusqu’à 2026.4.23 Skills Guard Multi-Word Prompt agent/skills_guard.py THREAT_PATTERNS élévation de privilèges] |
|---|
| Points | 20 |
|---|