CVE-2025-1293Weak Authentication in Hashicorp-forge Hermes

CWE-1390Weak AuthenticationCWE-770Allocation of Resources Without Limits or Throttling6 documents5 sources
Severity
8.2HIGHNVD
EPSS
0.1%
top 79.22%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Hashicorp ToolingGithub.com Hashicorp-forge HermesHashicorp Hermes
Timeline
PublishedFeb 20
Latest updateMar 3

Description

Hermes versions up to 0.4.0 improperly validated the JWT provided when using the AWS ALB authentication mode, potentially allowing for authentication bypass. This vulnerability, CVE-2025-1293, was fixed in Hermes 0.5.0.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:NExploitability: 3.9 | Impact: 4.2

Affected Packages3 packages

NVDhashicorp/hermes< 0.5.0
CVEListV5hashicorp/tooling< 0.5.0

🔴Vulnerability Details

4
OSV
Hermes improperly validates a JWT in github.com/hashicorp-forge/hermes2025-03-03
OSV
Hermes improperly validates a JWT2025-02-20
GHSA
Hermes improperly validates a JWT2025-02-20
CVEList
HashiCorp Hermes Improperly Validates AWS ALB JWTs, which May Lead to Authentication Bypass2025-02-20
CVE-2025-1293 — Weak Authentication | cvebase