NousResearch hermes-agent Messaging Gateway local.py _make_run_env information disclosure

Vulnerability

A weakness in NousResearch hermes-agent up to version 2026.4.23 exists in the _make_run_env function of tools/environments/local.py. The subprocess environment sanitization fails to block messaging gateway credentials (e.g., FEISHU_APP_SECRET, WECOM_SECRET, DINGTALK_CLIENT_SECRET) stored in _EXTRA_ENV_KEYS in hermes_cli/config.py. These keys are neither in OPTIONAL_ENV_VARS nor in the hardcoded blocklist, so they are inherited by subprocesses executed via the terminal or execute_code tools [1].

Exploitation

An attacker needs to influence the AI agent via prompt injection from a messaging interface, with terminal or execute_code tools enabled (default) and TERMINAL_ENV=local (default). The attacker simply sends a command like printenv to the agent, which executes it as a subprocess. The subprocess inherits the unblocked environment variables containing messaging credentials, which are then printed or exfiltrated [1]. No authentication is required; the attack is remote.

Impact

Successful exploitation leads to disclosure of sensitive messaging gateway credentials (e.g., Feishu, WeCom, DingTalk). This could allow unauthorized access to the configured messaging platforms, enabling an attacker to read, send, or intercept messages, impersonate the bot, or compromise further integrations [1].

Mitigation

The vendor was contacted but did not respond; no official fix has been released as of the publication date [1]. Workarounds include disabling the terminal and execute_code tools, ensuring TERMINAL_ENV is not set to local, or manually adding the messaging credential keys to the blocklist in the _build_provider_env_blocklist() function.