NousResearch hermes-agent Environment Variable code_execution_tool.py execute_code sandbox

Vulnerability

The vulnerability resides in the execute_code function within tools/code_execution_tool.py of NousResearch Hermes Agent up to version 2026.4.16. Unlike the terminal tool, execute_code does not invoke the approval guard (_check_all_guards()), allowing LLM-generated Python scripts to run on the host without user confirmation. Additionally, the environment variable sanitization uses a substring-based blocklist (_SECRET_SUBSTRINGS) that fails to cover common secret patterns (e.g., DATABASE_URL, SLACK_WEBHOOK, AWS_ACCESS_ID), causing credentials to leak into the subprocess [1].

Exploitation

An attacker can exploit this by sending a crafted prompt to an LLM connected via Telegram, Discord, Slack, or any gateway-integrated platform. The prompt influences the LLM's tool selection to invoke execute_code instead of the approved terminal tool. The generated Python script is written to a temporary file and executed via subprocess.Popen() with an environment containing leaked credentials. The exploit is publicly available and does not require authentication or user interaction [1].

Impact

Successful exploitation grants arbitrary code execution on the host machine with the privileges of the Hermes Agent process. The attacker can access leaked secrets (e.g., database URLs, webhook tokens, AWS keys) and potentially pivot to other systems. This results in full host compromise, credential theft, and possibly lateral movement [1].

Mitigation

As of the publication date, the vendor has not responded to disclosure and no official fix is available. Users should disable the execute_code tool entirely if not required, or implement custom approval checks for all tool invocations. The vulnerability is not yet listed in the Known Exploited Vulnerabilities (KEV) catalog. Affected versions are up to 2026.4.16 [1].