nesquena hermes-webui Trust-Boundary Failure Vulnerability Allowing Arbitrary Workspace Directory Access

A trust-boundary failure vulnerability has been identified in nesquena hermes-webui, specifically in version 0.50.33 and prior. This vulnerability allows authenticated attackers to manipulate workspace path parameters in several API endpoints, including '/api/session/new', '/api/session/update', '/api/chat/start', and '/api/workspaces/add'. By doing so, attackers can redirect a session workspace to any existing directory on the disk, bypassing the intended trusted root. Once the workspace is redirected, attackers can use standard file read and write APIs to access or modify files outside the designated workspace boundary, all within the permissions of the hermes-webui process.

Impact

Exploitation of this vulnerability could lead to unauthorized access to files or directories outside the intended workspace boundary, allowing for potential modification or manipulation of those files. This behavior could be leveraged to disrupt the application's normal operations or to access sensitive information.

Reproduction

To reproduce this vulnerability, an authenticated user can send a request to one of the vulnerable API endpoints with a manipulated workspace path that points to a directory outside the trusted root. This can be done by first creating a session and then using the 'workspace' parameter to specify a path that the hermes-webui process can access, but that is not within the allowed workspace boundaries. After the session workspace has been successfully redirected, the user can then use the application's file read and write APIs to access or modify files in the chosen directory.

Remediation

Users are advised to update to hermes-webui version 0.50.34, which includes a patch that restricts session workspaces to trusted roots, preventing the manipulation of workspace paths to access arbitrary directories.