| Title | NousResearch hermes-agent 2026.5.29.2 Improper Limitation of a Pathname to a Restricted Directory (Path Traversal) (CWE-22) |
|---|
| Description | # Technical Details
A path traversal information disclosure exists in the `[skill_view]` method in `tools/skills_tool.py` of hermes-agent.
The application fails to enforce containment before joining attacker-controlled skill names into trusted search roots. A traversal value such as `../outside-skill` can escape `~/.hermes/skills/`, select a sibling directory containing `SKILL.md`, and then use a benign `file_path` like `.env` to read files from that escaped directory.
# Vulnerable Code
File: `tools/skills_tool.py`, `tools/path_security.py`
Method: `skill_view`, `validate_within_dir`
Why: `skill_view()` constructs `direct_path = search_dir / name` and records it if it contains `SKILL.md`, before rejecting escaped directories. The later `validate_within_dir(target_file, skill_dir)` check is applied relative to the already attacker-selected escaped `skill_dir`, so `.env` passes and is disclosed.
# Reproduction
1. Prepare an isolated `HERMES_HOME` with `skills/legit-skill/SKILL.md`, sibling `outside-skill/SKILL.md`, and sibling `outside-skill/.env`.
2. Invoke the real Hermes dispatcher with `{"name":"../outside-skill"}` and then `{"name":"../outside-skill","file_path":".env"}`.
3. Observe responses showing `path="../outside-skill/SKILL.md"` and `content="ESCAPED_SECRET=issue220_variant\n"`, while the control case using `name="legit-skill"` only reads in-tree files.
# Impact
- Attackers who can influence `skill_view` arguments can read files outside the trusted skills directory.
- Practical disclosures include `.env` secrets, API keys, tokens, webhook credentials, and private reference files colocated beside the skills tree. |
|---|
| Source | ⚠️ https://github.com/NousResearch/hermes-agent/issues/38643 |
|---|
| User | Eric-y (UID 95889) |
|---|
| Submission | 06/04/2026 08:50 (1 month ago) |
|---|
| Moderation | 07/05/2026 16:00 (1 month later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 376373 [NousResearch hermes-agent 2026.5.29.2 tools/skills_tool.py skill_view Name path traversal] |
|---|
| Points | 20 |
|---|