Отправить #852843: NousResearch hermes-agent 2026.5.29.2 Cross-site Scripting (CWE-79)Информация

НазваниеNousResearch hermes-agent 2026.5.29.2 Cross-site Scripting (CWE-79)
Описание# Technical Details A Cross-site Scripting vulnerability exists in the `MatrixAdapter._markdown_to_html` method in `gateway/platforms/matrix.py` of hermes-agent. The application fails to escape attacker-supplied raw HTML or sanitize dangerous URL schemes (such as `javascript:`, `data`, and `vbscript`) before writing the converted text directly into Matrix `formatted_body` payloads. # Vulnerable Code File: gateway/platforms/matrix.py Method: _markdown_to_html Why: The adapter directly returns `md.convert(text)` output without escaping raw HTML or filtering link schemes. As long as the `markdown` dependency is importable (which is true when the documented Matrix extra is installed), this code path remains active and bypasses a safer fallback implementation that usually filters these schemes. # Reproduction 1. Ensure Hermes Agent is configured with the Matrix extra installed (where the `markdown` package is importable). 2. Through normal message delivery, supply attacker-controlled text containing raw HTML or a dangerous Markdown link (e.g., `<img src=x onerror="alert(1)">` or `[click](javascript:alert(1))`). 3. Observe that the emitted Matrix payload preserves the raw HTML and dangerous URI scheme inside the `formatted_body` (under `org.matrix.custom.html`). # Impact - Malicious links can be injected into outbound Matrix messages. - Message appearance can be altered with arbitrary inline HTML. - Imposes content and script-injection risks in downstream Matrix clients that trust or insufficiently sanitize the `org.matrix.custom.html` payload.
Источник⚠️ https://github.com/NousResearch/hermes-agent/issues/42667
Пользователь Eric-d (UID 96861)
Представление09.06.2026 11:19 (1 месяц назад)
Модерация09.07.2026 19:49 (1 month later)
Статуспринято
Запись VulDB377247 [NousResearch hermes-agent до 2026.5.29.2 Matrix Adapter matrix.py MatrixAdapter._markdown_to_html межсайтовый скриптинг]
Баллы20

Do you want to use VulDB in your project?

Use the official API to access entries easily!