NousResearch hermes-agent Unauthenticated Remote Code Execution Vulnerability in Webhook Component
Vulnerability
A critical vulnerability allowing unauthenticated remote code execution has been identified in NousResearch hermes-agent version 0.8.0. The issue arises in the webhooks endpoint, specifically within the file gateway/platforms/webhook.py. The vulnerability is triggered by setting the webhook route's secret to 'INSECURE_NO_AUTH', which disables HMAC signature verification. This allows any network client to send POST requests to the webhook without authentication, with the payload being executed as a command by the agent.
Impact
Exploitation of this vulnerability allows for full unauthenticated remote code execution on the server where hermes-agent is running.
Reproduction
To reproduce this vulnerability, configure a webhook route with the secret set to 'INSECURE_NO_AUTH'. Once the webhook is active, send a POST request to the webhook endpoint without including an HMAC signature. The request payload can include any command, which will be executed by the agent on the server.
Remediation
The latest version of hermes-agent includes a fix for this vulnerability. Users should update to version 0.11.0 or later.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.