NousResearch hermes-agent read_file Tool file_tools.py _is_blocked_device path traversal
Description
A security flaw has been discovered in NousResearch hermes-agent up to 2026.4.16. This vulnerability affects the function _is_blocked_device of the file tools/file_tools.py of the component read_file Tool. Performing a manipulation results in path traversal. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A path traversal bypass in NousResearch hermes-agent's _is_blocked_device function allows remote attackers to cause Denial of Service by reading device files like /dev/zero.
Vulnerability
The _is_blocked_device() function in tools/file_tools.py of NousResearch hermes-agent up to version 2026.4.16 fails to properly normalize file paths before checking them against a blocklist of device files. It uses os.path.expanduser() only, which does not resolve . or .. components. Consequently, a path like /dev/./zero bypasses the exact string match against /dev/zero, but the OS kernel resolves it to /dev/zero when opened, leading to an infinite read loop.
Exploitation
An attacker can remotely send a crafted path (e.g., /dev/./zero) to the read_file tool without requiring authentication. No user interaction is needed. The path is processed by _is_blocked_device(), which does not detect it as blocked, and then the file is opened, causing the agent process to hang indefinitely.
Impact
Successful exploitation results in a Denial of Service (DoS) where the hermes-agent process becomes unresponsive. All users sharing the same gateway process are affected until the process is restarted. No data disclosure, privilege escalation, or code execution is achieved.
Mitigation
No official patch has been released, as the vendor did not respond to the disclosure. As a workaround, users can manually modify _is_blocked_device() to also use os.path.realpath() and os.path.normpath() for proper path normalization, similar to the _check_sensitive_path() function in the same file [1]. Without this fix, the vulnerability remains exploitable.
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <=2026.4.16
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- gist.github.com/YLChen-007/1d1aeff404cb88e06ec2fb3377f49fefmitreexploit
- vuldb.com/submit/812214mitrethird-party-advisory
- vuldb.com/vuln/365314mitrevdb-entrytechnical-description
- vuldb.com/vuln/365314/ctimitresignaturepermissions-required
News mentions
0No linked articles in our index yet.