| शीर्षक | NousResearch hermes-agent <= v2026.4.30 Injection (CWE-74) |
|---|
| विवरण | # Technical Details
A Persistent Prompt Injection exists in the `_scan_memory_content` method in `tools/memory_tool.py` and `tools/mcp_tool.py` of hermes-agent.
The application fails to correctly handle intervening words in its prompt injection regex patterns, allowing multi-word bypass payloads to be written to persistent memory.
# Vulnerable Code
File: tools/memory_tool.py
Method: _scan_memory_content
Why: The regex `(r'ignore\s+(previous|all|above|prior)\s+instructions', "prompt_injection")` expects exactly one separating keyword. Payloads with extra words bypass the scanner.
# Reproduction
1. Send a crafted message with a multi-word payload (e.g., "ignore ALL prior instructions") via any external interface (API, Discord, Slack).
2. The LLM processes the request and calls the memory tool to save the content.
3. The scanner returns `None` (bypass) and the injection payload is written to `MEMORY.md`.
4. On the next session start, the payload is persistently injected into the agent's system prompt.
# Impact
- Permanently alter the agent's instructions, persona, or goals for all future sessions.
- Establish a persistent backdoor that survives restarts and overrides safety constraints. |
|---|
| स्रोत | ⚠️ https://gist.github.com/YLChen-007/a1fb77ad2488c545a35d0f66356ea7b4 |
|---|
| उपयोगकर्ता | Eric-j (UID 98073) |
|---|
| सबमिशन | 07/05/2026 03:41 PM (29 दिन पहले) |
|---|
| संयम | 31/05/2026 09:51 AM (24 days later) |
|---|
| स्थिति | स्वीकृत |
|---|
| VulDB प्रविष्टि | 367502 [NousResearch hermes-agent तक 2026.4.30 tools/memory_tool.py _scan_memory_content अधिकार वृद्धि] |
|---|
| अंक | 20 |
|---|