Submit #844654: Nous Research hermes-agent v2026.4.30 Improper Handling of Case Sensitivity Leading to Information Disclosure (CWE-178)info

TitleNous Research hermes-agent v2026.4.30 Improper Handling of Case Sensitivity Leading to Information Disclosure (CWE-178)
Description# Technical Details A hidden reasoning content leak exists in the `GatewayStreamConsumer._filter_and_accumulate()` method in `gateway/stream_consumer.py` and the `HermesCLI._stream_delta()` method in `cli.py` of hermes-agent. The application fails to normalize or compare reasoning tags case-insensitively during live streaming. The hardcoded tag lists only cover some exact-case variants, so uppercase or mixed-case tags such as `<THINK>`, `<Think>`, `<THOUGHT>`, and `<REASONING>` bypass the real-time filter and are rendered to the end user before later post-processing strips them. # Vulnerable Code File: `gateway/stream_consumer.py` Method: `GatewayStreamConsumer._filter_and_accumulate()` Why: `_OPEN_THINK_TAGS` and `_CLOSE_THINK_TAGS` contain an incomplete set of case variants, and the method uses exact `buf.find(tag)` matching. The duplicated logic in `cli.py` uses the same flawed approach, allowing unlisted case variants to pass through. # Reproduction 1. Download and run the PoC script `poc_exploit.py` from the linked advisory environment. 2. Feed simulated streamed model output containing uppercase or mixed-case reasoning tags such as `<THINK>Secret reasoning</THINK>` through `_filter_and_accumulate()`. 3. Observe that the hidden reasoning content is accumulated and displayed instead of being suppressed. 4. Run the control script with listed lowercase tags and confirm those are filtered correctly. # Impact - Hidden chain-of-thought, system prompts, and internal reasoning can be exposed to end users during streaming. - Tool arguments, file paths, API endpoints, and other sensitive runtime context may be disclosed on connected platforms.
Source⚠️ https://gist.github.com/YLChen-007/2229e5505bcbb3e15a7ae8fba4c4be37,https://github.com/NousResearch/hermes-agent/issues/27288
User
 Eric-a (UID 96353)
Submission06/01/2026 10:13 (1 month ago)
Moderation07/03/2026 18:31 (1 month later)
StatusAccepted
VulDB entry376134 [NousResearch hermes-agent up to 2026.4.30 Streaming Reasoning Tag Filter stream_consumer.py GatewayStreamConsumer._filter_and_accumulate case sensitivity]
Points20

Do you want to use VulDB in your project?

Use the official API to access entries easily!