Hermes-Agent .env Parser Semantic Injection via Substring Splitting (RCE/Credential Theft)

Vulnerability Overview Title: Semantic Injection in Environment Variables via Substring Splitting in Parser ( ) Description: A semantic injection vulnerability exists in the file parser, allowing an attacker to persistently inject arbitrary Hermes configuration variables (e.g., ) by embedding known key names into credential values. When a victim saves a forged API key through the normal CLI flow, the parser's substring-based splitting treats the embedded key as a separate declaration, enabling full interception of LLM API calls, prompt extraction, and credential theft. Details: The root cause lies in the function, which attempts to repair corrupted files where multiple pairs are unexpectedly concatenated on a single line. The function iterates through a list of known Hermes environment variable names and uses to locate any pattern. The issue is that performs naive substring matching without boundary validation, failing to check if the match occurs at the beginning of a key declaration or is merely embedded within another value. If an API key value happens to contain a known key name (e.g., ), the function treats the embedded occurrence as a concatenation point and splits the line into two separate entries. Attack Chain: 1. The attacker creates a malicious API key containing the embedded payload. 2. The victim saves the key via the normal Hermes flow (via social engineering: "Use this API key", contaminated OAuth tokens, or malicious integrations auto-configuring credentials). 3. stores the raw concatenated string, after which splits it based on the embedded key name. 4. The file now contains a separate line. 5. On the next startup, picks up the injected variable. All OpenAI API calls are now routed to the attacker's proxy. 6. The attacker intercepts prompts, responses, and can extract the victim's real API key. Impact Scope LLM API Call Interception: By hijacking , all API requests (including prompts, system instructions, and tool calls) are routed through the attacker's proxy. Credential Theft: The attacker's proxy receives the victim's real API key as part of the header for each forwarded request. Prompt and Response Exfiltration: The attacker can log, modify, or block all LLM interactions. Persistent Compromise: Once triggered, the injection survives reboots and is persisted in the file. Affected Products: Ecosystem: pip Package Name: hermes-agent Affected Versions: <= v2026.4.30 Patched Version: None Severity: Severity: High Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N Remediation No specific remediation is currently provided. Users are advised to update to a patched version as soon as possible, or implement other security measures to prevent exploitation of this vulnerability. POC Code

Goal Reached Thanks to every supporter — we hit 100%!

Hermes-Agent .env Parser Semantic Injection via Substring Splitting (RCE/Credential Theft)

More from this source