logo

Database

Authentication mechanism absence or evasion In github.com/hashicorp-forge/hermes

Description

Hermes improperly validates a JWT Hermes versions up to 0.4.0 improperly validated the JWT provided when using the AWS ALB authentication mode, potentially allowing for authentication bypass. This vulnerability, CVE-2025-1293, was fixed in Hermes 0.5.0.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2025-12932. NVD-2025-12933. OSV-2025-12934. GCVE-2025-1293

References

1. https://github.com/hashicorp-forge/hermes/commit/e36d479616099bd0c8dfde6786ea671f112d91062. https://discuss.hashicorp.com/t/hcsec-2025-03-hashicorp-hermes-improperly-validates-aws-alb-jwts-which-may-lead-to-authentication-bypass/73371

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.