NousResearch hermes-agent Slack Agent/Mattermost Agent escape output

Vulnerability

A vulnerability in NousResearch hermes-agent versions up to 2026.4.16 affects the Slack Agent and Mattermost Agent components. The issue resides in the format_message function (Slack) and the send method (Mattermost) which fail to properly sanitize output containing mass-ping mentions such as <!everyone> or @all. An attacker can exploit this via prompt injection against the LLM to generate unescaped mass mentions that bypass gateway-level sanitization [1].

Exploitation

An unauthenticated or low-privileged attacker can craft a prompt that coerces the LLM into producing an output containing mass-ping primitives like <!everyone> (Slack) or @all (Mattermost). The attacker only needs network access to the agent's input interface and no special privileges. The LLM output is then passed verbatim to the chat platform’s API: the Slack adapter’s regex inadvertently preserves ` and <!everyone> tags, while the Mattermost adapter directly assigns the message field without setting "props": {"disable_mentions": true}` [1].

Impact

Successful exploitation results in a workspace-wide notification explosion (spam or denial of service) directed at all users of the integrated Slack or Mattermost workspace. This can cause notification exhaustion, degrade user experience, and potentially disrupt normal operations. The attack does not elevate privileges but abuses the agent's messaging permissions (e.g., chat:write) to send mass mentions [1].

Mitigation

As of the publication date, the vendor (NousResearch) has not responded to the disclosure and no patch has been released. Users of hermes-agent up to 2026.4.16 should monitor for future updates. If possible, restrict the agent’s messaging permissions or apply a reverse proxy to filter out mass-ping patterns in outgoing messages. No CVE ID beyond this one or KEV listing has been identified [1].