| 제목 | NousResearch hermes-agent 2026.4.23 Injection (CWE-74) |
|---|
| 설명 | # Technical Details
A zero-click context-file injection scanner regex bypass exists in the `_scan_context_content()` method in `agent/prompt_builder.py` of hermes-agent.
The application fails to align duplicate regex scanning patterns for threat detection, utilizing an outdated iteration of the scanner regex `ignore\s+(previous|all|above|prior)\s+instructions` that does not account for intervening words.
# Vulnerable Code
File: agent/prompt_builder.py
Method: _scan_context_content()
Why: The first matched pattern captures a single keyword before `\s+instructions`. If an attacker adds another qualifier (e.g., `ignore all prior instructions`), the alternation fails since `prior` doesn't directly precede `instructions`. This bypasses the prompt injection scanner, returning false negatives.
# Reproduction
1. Clone an attacker-provided repository containing a poisoned contextual file (e.g., `AGENTS.md`) using the string `ignore all prior instructions`.
2. Initiate `hermes` or `hermes-agent` within the repository directory.
3. The context auto-loader parses the file, scanning it using the flawed regex which returns clear.
4. The LLM immediately adopts and acts upon the maliciously injected system prompt context.
# Impact
- Zero-click full prompt-override primitive upon initializing the hermes assistant in an attacker-controlled directory.
- Can be exploited to orchestrate execution sequences chaining tool usage such as `terminal`, `write_file`, and network endpoints. |
|---|
| 원천 | ⚠️ https://gist.github.com/YLChen-007/581fd92de5548fbaacb2092e848a75cc |
|---|
| 사용자 | Eric-i (UID 97584) |
|---|
| 제출 | 2026. 04. 24. PM 03:01 (1 월 ago) |
|---|
| 모더레이션 | 2026. 05. 23. PM 12:33 (29 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 365329 [NousResearch hermes-agent 2026.4.23 agent/prompt_builder.py _scan_context_content 권한 상승] |
|---|
| 포인트들 | 20 |
|---|