| tiêu đề | NousResearch hermes-agent 2026.4.23 Injection (CWE-74) |
|---|
| Mô tả | # Technical Details
A zero-click context-file injection scanner regex bypass exists in the `_scan_context_content()` method in `agent/prompt_builder.py` of hermes-agent.
The application fails to align duplicate regex scanning patterns for threat detection, utilizing an outdated iteration of the scanner regex `ignore\s+(previous|all|above|prior)\s+instructions` that does not account for intervening words.
# Vulnerable Code
File: agent/prompt_builder.py
Method: _scan_context_content()
Why: The first matched pattern captures a single keyword before `\s+instructions`. If an attacker adds another qualifier (e.g., `ignore all prior instructions`), the alternation fails since `prior` doesn't directly precede `instructions`. This bypasses the prompt injection scanner, returning false negatives.
# Reproduction
1. Clone an attacker-provided repository containing a poisoned contextual file (e.g., `AGENTS.md`) using the string `ignore all prior instructions`.
2. Initiate `hermes` or `hermes-agent` within the repository directory.
3. The context auto-loader parses the file, scanning it using the flawed regex which returns clear.
4. The LLM immediately adopts and acts upon the maliciously injected system prompt context.
# Impact
- Zero-click full prompt-override primitive upon initializing the hermes assistant in an attacker-controlled directory.
- Can be exploited to orchestrate execution sequences chaining tool usage such as `terminal`, `write_file`, and network endpoints. |
|---|
| Nguồn | ⚠️ https://gist.github.com/YLChen-007/581fd92de5548fbaacb2092e848a75cc |
|---|
| Người dùng | Eric-i (UID 97584) |
|---|
| Đệ trình | 24/04/2026 15:01 (cách đây 1 tháng) |
|---|
| Kiểm duyệt | 23/05/2026 12:33 (29 days later) |
|---|
| Trạng thái | được chấp nhận |
|---|
| Mục VulDB | 365329 [NousResearch hermes-agent 2026.4.23 agent/prompt_builder.py _scan_context_content nâng cao đặc quyền] |
|---|
| điểm | 20 |
|---|