| 标题 | NousResearch hermes-agent 2026.4.23 Injection (CWE-74) |
|---|
| 描述 | # Technical Details
A multi-word prompt injection bypass exists in the skills threat detection logic in `agent/skills_guard.py` of hermes-agent.
The application fails to consistently apply flexible whitespace and multi-word matching regex across all threat patterns (`THREAT_PATTERNS`), specifically leaving the "system prompt override" and "new policy" patterns vulnerable to bypass by injecting extraneous filler words.
# Vulnerable Code
File: agent/skills_guard.py
Method: THREAT_PATTERNS definition
Why: While some regex patterns were patched to accommodate multi-word inclusions via `(?:\w+\s+)*`, critical filters like `r'system\s+prompt\s+override'` and `r'new\s+policy'` remain rigid. Injecting words such as `system prompt temporary override` evades the matcher.
# Reproduction
1. Create a malicious skill payload containing the phrase `system prompt temporary override`.
2. Submit the payload to the agent's `skills_guard.py` install process.
3. The regex fails to match the injected threat pattern, leading to the payload being accepted as a safe skill.
4. The system prompt is subsequently overridden implicitly without quarantine.
# Impact
- Evasion of "Critical" severity skill checks, allowing malicious skills to be installed into the workspace.
- Unauthorized manipulation of the agent's execution logic by persistently hijacking future sessions to run arbitrary malicious actions or override policies without detection. |
|---|
| 来源 | ⚠️ https://gist.github.com/YLChen-007/82a3539d6358842e69dfaef0a9fcf14a |
|---|
| 用户 | Eric-i (UID 97584) |
|---|
| 提交 | 2026-04-24 14時43分 (1 月前) |
|---|
| 管理 | 2026-05-23 11時19分 (29 days later) |
|---|
| 状态 | 已接受 |
|---|
| VulDB条目 | 365316 [NousResearch hermes-agent 直到 2026.4.23 Skills Guard Multi-Word Prompt agent/skills_guard.py THREAT_PATTERNS 权限提升] |
|---|
| 积分 | 20 |
|---|