| Название | NousResearch hermes-agent 2026.4.23 Injection (CWE-74) |
|---|
| Описание | # Technical Details
A multi-word prompt injection bypass exists in the skills threat detection logic in `agent/skills_guard.py` of hermes-agent.
The application fails to consistently apply flexible whitespace and multi-word matching regex across all threat patterns (`THREAT_PATTERNS`), specifically leaving the "system prompt override" and "new policy" patterns vulnerable to bypass by injecting extraneous filler words.
# Vulnerable Code
File: agent/skills_guard.py
Method: THREAT_PATTERNS definition
Why: While some regex patterns were patched to accommodate multi-word inclusions via `(?:\w+\s+)*`, critical filters like `r'system\s+prompt\s+override'` and `r'new\s+policy'` remain rigid. Injecting words such as `system prompt temporary override` evades the matcher.
# Reproduction
1. Create a malicious skill payload containing the phrase `system prompt temporary override`.
2. Submit the payload to the agent's `skills_guard.py` install process.
3. The regex fails to match the injected threat pattern, leading to the payload being accepted as a safe skill.
4. The system prompt is subsequently overridden implicitly without quarantine.
# Impact
- Evasion of "Critical" severity skill checks, allowing malicious skills to be installed into the workspace.
- Unauthorized manipulation of the agent's execution logic by persistently hijacking future sessions to run arbitrary malicious actions or override policies without detection. |
|---|
| Источник | ⚠️ https://gist.github.com/YLChen-007/82a3539d6358842e69dfaef0a9fcf14a |
|---|
| Пользователь | Eric-i (UID 97584) |
|---|
| Представление | 24.04.2026 14:43 (1 месяц назад) |
|---|
| Модерация | 23.05.2026 11:19 (29 days later) |
|---|
| Статус | принято |
|---|
| Запись VulDB | 365316 [NousResearch hermes-agent до 2026.4.23 Skills Guard Multi-Word Prompt agent/skills_guard.py THREAT_PATTERNS эскалация привилегий] |
|---|
| Баллы | 20 |
|---|