| 제목 | NousResearch hermes-agent 2026.4.16 Improper Privilege Management (CWE-269) |
|---|
| 설명 | # Technical Details
Unrestricted host code execution and credential leakage exists in the `execute_code()` method in `tools/code_execution_tool.py` of hermes-agent.
The application fails to apply dangerous-command approval paths or comprehensively scrub subprocess environment variables, utilizing a substring-based blocklist (`_SECRET_SUBSTRINGS`) that omits many standard credential naming implementations and using excessive passthrough prefixes (`HERMES_*`).
# Vulnerable Code
File: tools/code_execution_tool.py
Method: execute_code()
Why: The code spawns python executions directly through `subprocess.Popen()` without requesting evaluations via the default standard `_check_all_guards()` mechanism seen in terminal operations. Additionally, variables without substring match definitions in `_SECRET_SUBSTRINGS` (i.e., `DATABASE_URL`) are leaked into the executing subprocess scope.
# Reproduction
1. Through prompt injection or interaction, induce the Agent to run python payloads via `execute_code`.
2. The payload accesses and iterates over `os.environ`.
3. Secrets mapping to unsupported namespaces (e.g., `DATABASE_URL`, `SLACK_WEBHOOK`, `AWS_ACCESS_ID`) are accessed in plaintext.
4. The payload natively requests the internet directly downloading malicious resources, completely unprompted.
# Impact
- Arbitrary Python code execution on the host without interactive confirmation.
- Subprocess environmental credential leakage allowing attackers to remotely exfiltrate sensitive data. |
|---|
| 원천 | ⚠️ https://gist.github.com/YLChen-007/43c72d19668421abe8ce10f299323a0a |
|---|
| 사용자 | Eric-i (UID 97584) |
|---|
| 제출 | 2026. 04. 24. PM 03:02 (1 월 ago) |
|---|
| 모더레이션 | 2026. 05. 23. PM 12:33 (29 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 365331 [NousResearch hermes-agent 까지 2026.4.16 Environment Variable code_execution_tool.py execute_code 권한 상승] |
|---|
| 포인트들 | 20 |
|---|