Hermes WebUI Arbitrary File Deletion Vulnerability via Unvalidated Session ID

A vulnerability allowing arbitrary file deletion has been identified in Hermes WebUI, specifically within the '/api/session/delete' endpoint. This issue arises from the acceptance of unvalidated session identifiers, which can be exploited by authenticated attackers to delete files outside the designated session directory. By providing an absolute path or a path traversal payload in the 'session_id' parameter, attackers can bypass the 'SESSION_DIR' boundary and remove writable JSON files from the host system.

Impact

Exploitation of this vulnerability allows authenticated attackers to delete arbitrary files on the host system, specifically writable JSON files, by manipulating the 'session_id' parameter to bypass directory restrictions.

Reproduction

To reproduce this vulnerability, send a POST request to the '/api/session/delete' endpoint with a 'session_id' parameter that includes either an absolute path or a path traversal payload. The server will process the request and delete the specified file, bypassing the session directory restrictions.

Remediation

Users are advised to update to Hermes WebUI version 0.50.32 or later, where this vulnerability has been addressed.