Bulletin ID: HCSEC-2025-03
Affected Products / Versions: HashiCorp Hermes up to 0.4.0, fixed in Hermes 0.5.0.
Publication Date: Feb 19, 2025
Summary
Hermes versions up to 0.4.0 improperly validated the JWT provided when using the AWS ALB authentication mode, potentially allowing for authentication bypass. This vulnerability, CVE-2025-1293, was fixed in Hermes 0.5.0.
Background
Hermes is a document management system created by HashiCorp, and published as an experimental product under the hashicorp-forge Github organization.
Hermes may be configured to use an AWS ALB for authentication.
Details
Hermes did not properly validate the JWT from the load balancer when using the AWS ALB authentication strategy, potentially allowing a party with direct access to the Hermes application server to bypass authentication controls. This insecure pattern is known as the “ALBeast” vulnerability.
Remediation
Customers using Hermes should evaluate the risk and consider upgrading to Hermes version 0.5.0 or newer.
Acknowledgement
This issue was identified by Liad Eliyahu of Miggo.
We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.