NousResearch hermes-agent terminal_tool approval.py detect_dangerous_command os command injection
Description
A vulnerability was determined in NousResearch hermes-agent up to 5157f5427f19488b31c6fdebbacd15d798ce7f63. This affects the function detect_dangerous_command of the file tools/approval.py of the component terminal_tool. This manipulation causes os command injection. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A bypass in NousResearch hermes-agent's terminal tool approval logic allows an attacker to achieve silent remote code execution by using eval $(curl...) to evade dangerous command detection.
Vulnerability
A vulnerability exists in NousResearch hermes-agent up to commit 5157f5427f19488b31c6fdebbacd15d798ce7f63. The function detect_dangerous_command in the file tools/approval.py (component terminal_tool) uses a list of regex patterns (DANGEROUS_PATTERNS) to block dangerous shell commands such as curl | bash. However, the detection is purely syntactic and does not account for functionally equivalent representations like eval $(curl ...) which bypasses the blacklist and allows arbitrary command execution. [1]
Exploitation
An attacker can remotely instruct the LLM agent (via prompt injection or other means) to generate a command like eval $(wget ...) which is not matched by the existing patterns. Because the detection function considers the command safe, the interactive user approval prompt is skipped, and the command executes without any user interaction. The exploit does not require authentication or prior access beyond the ability to interact with the hermes-agent. [1]
Impact
Successful exploitation results in silent, zero-click remote code execution with the privileges of the hermes-agent process. The attacker gains full control over the affected system, including the ability to execute arbitrary commands, exfiltrate data, install malware, or pivot to other systems. This compromises confidentiality, integrity, and availability. [1]
Mitigation
As of the publication date (2026-05-24), the vendor had not responded to the disclosure, and no patch or fixed version has been released. The vulnerability is publicly disclosed and a proof-of-concept is available. Users should consider disabling the terminal_tool functionality, implementing additional network-layer controls, or isolating the hermes-agent execution environment until a fix is applied. [1]
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <=5157f5427f19488b31c6fdebbacd15d798ce7f63
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Incorrect regular expression blacklist in `detect_dangerous_command` performs purely syntactic matching, allowing semantically equivalent shell execution syntaxes like `eval $(curl ...)` to bypass detection entirely."
Attack vector
An attacker injects a malicious prompt into the LLM agent that instructs it to use an un-flagged execution channel such as `eval $(curl ...)` or `eval $(wget ...)` [ref_id=1]. Because the regex blacklist only matches patterns like `curl ... | bash`, the `detect_dangerous_command` function concludes the command is "safe" and skips the interactive user confirmation prompt [ref_id=1]. The command then executes silently, achieving zero-click remote code execution [ref_id=1]. The attack is initiated remotely via untrusted LLM input injection [ref_id=1].
Affected code
The vulnerable function is `detect_dangerous_command` in `tools/approval.py` [ref_id=1]. The function uses a blacklist of regex patterns (e.g., `(r'\b(curl|wget)\b.*\|\s*(ba)?sh\b', "pipe remote content to shell")`) to flag dangerous shell commands, but the regex matching is purely syntactic and incomplete [ref_id=1]. The predefined `DANGEROUS_PATTERNS` list at lines 94-101 and the detection logic at lines 182-191 are the specific code paths at fault [ref_id=1].
What the fix does
The advisory does not include a patch; the vendor was contacted but did not respond [ref_id=1]. The recommended remediation is to replace the purely syntactic regex blacklist with a more robust detection mechanism that accounts for semantically equivalent shell execution syntaxes, such as `eval`, command substitution, and `source` [ref_id=1]. A complete fix would require detecting dangerous command execution regardless of the syntactic form used [ref_id=1].
Preconditions
- configAn active, vanilla installation of hermes-agent with terminal_tool functionality enabled
- inputThe agent must be processing untrusted LLM input (e.g., a malicious prompt injection)
- authNo authentication required; the attack is initiated remotely via prompt injection
Reproduction
1. Run the control experiment to verify protection works: `python3 control-normal_behavior.py` (expected: detection engages and command is blocked) [ref_id=1]. 2. Run the bypass exploit script: `python3 poc_exploit.py` (expected: detection fails, prompt approves silently, payload executes, and `/tmp/pwned_exploit.txt` is created) [ref_id=1]. 3. Alternatively, run the enumeration tool `poc_bypass_detection.py` to probe 16 different semantic variants of `eval` and `source` [ref_id=1].
Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- gist.github.com/YLChen-007/75fb10319693e86106ced2ef3a472c80mitreexploit
- vuldb.com/submit/812228mitrethird-party-advisory
- vuldb.com/vuln/365330mitrevdb-entrytechnical-description
- vuldb.com/vuln/365330/ctimitresignaturepermissions-required
News mentions
0No linked articles in our index yet.