| 标题 | NousResearch hermes-agent 2026.4.23 Injection (CWE-74) |
|---|
| 描述 | # Technical Details
A zero-click context-file injection scanner regex bypass exists in the `_scan_context_content()` method in `agent/prompt_builder.py` of hermes-agent.
The application fails to align duplicate regex scanning patterns for threat detection, utilizing an outdated iteration of the scanner regex `ignore\s+(previous|all|above|prior)\s+instructions` that does not account for intervening words.
# Vulnerable Code
File: agent/prompt_builder.py
Method: _scan_context_content()
Why: The first matched pattern captures a single keyword before `\s+instructions`. If an attacker adds another qualifier (e.g., `ignore all prior instructions`), the alternation fails since `prior` doesn't directly precede `instructions`. This bypasses the prompt injection scanner, returning false negatives.
# Reproduction
1. Clone an attacker-provided repository containing a poisoned contextual file (e.g., `AGENTS.md`) using the string `ignore all prior instructions`.
2. Initiate `hermes` or `hermes-agent` within the repository directory.
3. The context auto-loader parses the file, scanning it using the flawed regex which returns clear.
4. The LLM immediately adopts and acts upon the maliciously injected system prompt context.
# Impact
- Zero-click full prompt-override primitive upon initializing the hermes assistant in an attacker-controlled directory.
- Can be exploited to orchestrate execution sequences chaining tool usage such as `terminal`, `write_file`, and network endpoints. |
|---|
| 来源 | ⚠️ https://gist.github.com/YLChen-007/581fd92de5548fbaacb2092e848a75cc |
|---|
| 用户 | Eric-i (UID 97584) |
|---|
| 提交 | 2026-04-24 15時01分 (1 月前) |
|---|
| 管理 | 2026-05-23 12時33分 (29 days later) |
|---|
| 状态 | 已接受 |
|---|
| VulDB条目 | 365329 [NousResearch hermes-agent 2026.4.23 agent/prompt_builder.py _scan_context_content 权限提升] |
|---|
| 积分 | 20 |
|---|