Teknium 0437137fff security: pin patched Starlette (>=1.0.1) for CVE-2026-48710 BadHost (#35118) ... Starlette < 1.0.1 is affected by CVE-2026-48710 ("BadHost", CWE-444). The HTTP Host header was not validated before being used to rebuild `request.url`, so a malformed Host could make `request.url.path` desync from the raw ASGI path the router actually dispatched. Middleware and endpoints that apply path-based authorization off `request.url` (rather than `scope["path"]`) can therefore be bypassed. Hermes pulls Starlette transitively, never directly: - [web] -> fastapi==0.133.1 (starlette>=0.40.0, no upper bound) - [mcp] -> mcp==1.26.0 + sse-starlette (starlette>=0.27 / >=0.49.1) - [computer-use] -> mcp==1.26.0 - [dev] -> mcp==1.26.0 A fresh resolve landed starlette 0.52.1 — vulnerable. With no upper bound on the transitive specs, pip/uv could resolve any pre-1.0.1 release on a fresh install. Fix: pin starlette==1.0.1 directly in every extra that exposes a Starlette-backed server surface, regenerate uv.lock (only starlette moves: 0.52.1 -> 1.0.1, hash-verified), and mirror the pin in the lazy-install map (tools/lazy_deps.py `tool.dashboard`) so `hermes` on-demand dashboard installs can't re-resolve a vulnerable version. 1.0.1 is the advisory's named fix floor and the oldest patched release (more bake time than 1.1.0/1.2.0, which are days old); it satisfies every carrier constraint and our requires-python>=3.11. Scope note: this is a dependency-level fix complementing the application-layer Host-header validator added in #34162 (`hermes_cli/web_server.py` `_is_accepted_host`). Defense in depth at both the framework and app layers. Guards: two invariant tests in tests/test_packaging_metadata.py assert every server-surface extra pins starlette and that pyproject + uv.lock both resolve >= the 1.0.1 CVE floor — a dropped pin or stale lock fails in CI instead of shipping the bypass. Closes #35067		2026-05-29 23:23:54 -07:00
..
computer_use	style: restore PEP8 blank-line separation after dead-code removal	2026-05-29 04:22:27 -07:00
environments	fix: drain thread no longer crashes on fd-less stdout streams (#34789)	2026-05-29 12:16:57 -07:00
neutts_samples
__init__.py
ansi_strip.py
approval.py	fix(code-exec): restore approval context in execute_code RPC threads + guard entry	2026-05-29 03:44:49 -07:00
binary_extensions.py	fix(tools): address PR review — remove _extract_raw_output, BudgetConfig everywhere, read_file hardening	2026-04-08 02:24:32 -07:00
browser_camofox.py	fix(browser): rewrite Camofox Docker loopback URLs (#25541)	2026-05-29 15:43:55 +10:00
browser_camofox_state.py
browser_cdp_tool.py	chore: prune unused imports and duplicate import redefinitions	2026-05-28 22:26:25 -07:00
browser_dialog_tool.py	feat: auto-launch Chromium-family browser for CDP	2026-05-19 22:34:05 -07:00
browser_supervisor.py	fix(async): close unscheduled coroutines in all threadsafe bridges (#26584)	2026-05-15 14:00:01 -07:00
browser_tool.py	docs: fix BROWSERBASE_SESSION_TIMEOUT unit (ms → seconds)	2026-05-29 12:06:22 -07:00
budget_config.py	chore: remove Atropos RL environments and tinker-atropos integration (#26106)	2026-05-15 10:36:38 +05:30
checkpoint_manager.py	chore: ruff auto-fix PLR6201 — tuple → set in membership tests (#23937)	2026-05-11 11:13:25 -07:00
clarify_gateway.py	feat(gateway): wire clarify tool with inline keyboard buttons on Telegram (#24199)	2026-05-12 16:33:33 -07:00
clarify_tool.py	refactor: add tool_error/tool_result helpers + read_raw_config, migrate 129 callsites	2026-04-07 13:36:38 -07:00
code_execution_tool.py	fix(code-exec): make dropped HERMES_* env vars diagnosable in sandbox scrub	2026-05-29 03:44:49 -07:00
computer_use_tool.py	feat(computer-use): cua-driver backend, universal any-model schema	2026-05-08 11:07:38 -07:00
credential_files.py	remove Vercel AI Gateway and Vercel Sandbox (#33067)	2026-05-27 00:43:32 -07:00
cronjob_tools.py	chore: prune unused imports and duplicate import redefinitions	2026-05-28 22:26:25 -07:00
debug_helpers.py	refactor: codebase-wide lint cleanup — unused imports, dead code, and inefficient patterns (#5821)	2026-04-07 10:25:31 -07:00
delegate_tool.py	fix(delegation): preserve configured_provider name when runtime returns 'custom'	2026-05-17 11:40:05 -07:00
discord_tool.py	feat: add Discord message deletion action	2026-05-07 05:11:09 -07:00
env_passthrough.py	harden(env_passthrough): apply GHSA-rhgp-j443-p4rf filter to config.yaml path (#27794)	2026-05-25 03:35:23 -07:00
env_probe.py	feat(prompt): universal task-completion guidance + local Python toolchain probe (#34340)	2026-05-28 22:26:09 -07:00
fal_common.py	refactor(image_gen): port FAL backend to plugins/image_gen/fal	2026-05-22 04:10:45 -07:00
feishu_doc_tool.py	perf(cli): cut ~19s from 'hermes' cold start (skills cache + lazy Feishu + no Nous HTTP) (#22138)	2026-05-08 16:39:32 -07:00
feishu_drive_tool.py	perf(cli): cut ~19s from 'hermes' cold start (skills cache + lazy Feishu + no Nous HTTP) (#22138)	2026-05-08 16:39:32 -07:00
file_operations.py	style: restore PEP8 blank-line separation after dead-code removal	2026-05-29 04:22:27 -07:00
file_state.py	feat(delegate): cross-agent file state coordination for concurrent subagents (#13718)	2026-04-21 16:41:26 -07:00
file_tools.py	remove Vercel AI Gateway and Vercel Sandbox (#33067)	2026-05-27 00:43:32 -07:00
fuzzy_match.py	fix(patch): widen new_string \t/\r unescape to all match strategies (#33733)	2026-05-28 03:27:20 -07:00
homeassistant_tool.py	fix: clean up description escaping, add string-data tests	2026-04-13 04:45:07 -07:00
image_generation_tool.py	feat(auth) normalise the way in which we check whether a user has free/paid access to nous portal so we can expose behaviour and error messages accordingly.	2026-05-28 00:19:31 -07:00
interrupt.py	fix(interrupt): propagate to concurrent-tool workers + opt-in debug trace (#11907)	2026-04-17 20:39:25 -07:00
kanban_tools.py	fix(kanban): bridge worker runtime activity to board heartbeat (#31752)	2026-05-29 00:05:58 -07:00
lazy_deps.py	security: pin patched Starlette (>=1.0.1) for CVE-2026-48710 BadHost (#35118)	2026-05-29 23:23:54 -07:00
managed_tool_gateway.py
mcp_oauth.py	feat(mcp-oauth): accept 'skip' at paste prompt to bypass auth without disabling server (#32069)	2026-05-25 05:37:30 -07:00
mcp_oauth_manager.py	fix(mcp-oauth): persist OAuth server metadata across process restarts (#21226)	2026-05-07 05:35:33 -07:00
mcp_tool.py	fix(mcp): widen isinstance check to BaseException for CancelledError	2026-05-29 13:29:34 -07:00
memory_tool.py	chore: prune unused imports and duplicate import redefinitions	2026-05-28 22:26:25 -07:00
microsoft_graph_auth.py	feat(msgraph): add auth and client foundation	2026-05-08 09:27:26 -07:00
microsoft_graph_client.py	fix(msgraph): stream download_to_file body instead of buffering	2026-05-08 09:27:26 -07:00
mixture_of_agents_tool.py	chore: ruff auto-fix C401, C416, C408, PLR1722 (#23940)	2026-05-11 11:20:58 -07:00
neutts_synth.py
openrouter_client.py
osv_check.py	chore: ruff auto-fix PLR6201 — tuple → set in membership tests (#23937)	2026-05-11 11:13:25 -07:00
patch_parser.py	fix(lint): skip per-file shell linter when LSP will handle the file (#29054)	2026-05-20 01:46:40 -05:00
path_security.py	refactor: extract shared helpers to deduplicate repeated code patterns (#7917)	2026-04-11 13:59:52 -07:00
process_registry.py	feat(cli): show live background terminal-process count in status bar (#32061)	2026-05-25 05:35:02 -07:00
registry.py	security: sanitize tool error strings before injecting into model context (#26823)	2026-05-16 00:57:39 -07:00
schema_sanitizer.py	fix(xai-responses): strip enum values containing '/' from tool schemas	2026-05-18 10:37:35 -07:00
send_message_tool.py	chore: prune unused imports and duplicate import redefinitions	2026-05-28 22:26:25 -07:00
session_search_tool.py	feat(session_search): single-shape tool with discovery, scroll, browse — no LLM (#27590)	2026-05-17 23:28:45 -07:00
skill_manager_tool.py	fix(profiles): cross-profile soft guard on file-write tools + system-prompt hint (#31290)	2026-05-24 00:38:17 -07:00
skill_provenance.py	fix(curator): only mark agent-created for background-review sediment (#19621)	2026-05-04 02:42:16 -07:00
skill_usage.py	chore: prune unused imports and duplicate import redefinitions	2026-05-28 22:26:25 -07:00
skills_ast_audit.py	refactor(skills): slim AST diagnostic to single entry point	2026-05-23 17:47:26 -07:00
skills_guard.py	feat(skills): integrate NVIDIA/skills as a trusted skills hub tap	2026-05-29 12:24:39 -07:00
skills_hub.py	feat(skills): categorize tap skills from skills.sh.json grouping sidecar	2026-05-29 12:24:39 -07:00
skills_sync.py	fix(skills): atomic lock write + drop dead _validate_category_name	2026-05-27 13:39:58 -07:00
skills_tool.py	style: restore PEP8 blank-line separation after dead-code removal	2026-05-29 04:22:27 -07:00
slash_confirm.py	fix(async): close unscheduled coroutines in all threadsafe bridges (#26584)	2026-05-15 14:00:01 -07:00
terminal_tool.py	fix(docker): cleanup_vm() default honors persist mode (don't kill container on session close)	2026-05-29 11:49:54 +10:00
thread_context.py	fix(code-exec): propagate agent-turn context into tool worker threads	2026-05-29 03:44:49 -07:00
threat_patterns.py	feat(security): promptware defense — shared threat patterns + memory load-time scan + tool-result delimiters (#32269)	2026-05-25 14:52:24 -07:00
tirith_security.py	fix(tirith): reject non-regular tar members during auto-install process	2026-05-28 02:49:26 -07:00
todo_tool.py	chore: ruff auto-fix PLR6201 — tuple → set in membership tests (#23937)	2026-05-11 11:13:25 -07:00
tool_backend_helpers.py	fix(tools): guard Path.home() against PermissionError in has_direct_modal_credentials (#33528)	2026-05-29 13:35:39 +10:00
tool_output_limits.py	feat(skills): add design-md skill for Google's DESIGN.md spec (#14876)	2026-04-23 21:51:19 -07:00
tool_result_storage.py	fix(tool-result-storage): persist via stdin to bypass 128 KB exec-arg cap (#22913)	2026-05-09 18:44:58 -07:00
tool_search.py	fix(tool-search): scope bridge catalog + dispatch to the session's toolsets	2026-05-29 02:04:12 -07:00
transcription_tools.py	fix(stt,tts): restore mistralai — 2.4.8 is clean, ban lifted (#34841)	2026-05-29 13:24:12 -07:00
tts_tool.py	fix(stt,tts): restore mistralai — 2.4.8 is clean, ban lifted (#34841)	2026-05-29 13:24:12 -07:00
url_safety.py	fix(url_safety): block IPv4-mapped IPv6 addresses to prevent SSRF bypass	2026-05-18 10:51:15 -07:00
video_generation_tool.py	chore: ruff auto-fix PLR6201 resweep — tuple → set in membership tests (#27355)	2026-05-17 02:29:41 -07:00
vision_tools.py	refactor(vision): consolidate native fast-path gate into one shared helper	2026-05-29 03:58:56 -07:00
voice_mode.py	fix(voice): honor PIPEWIRE_REMOTE in PortAudio fallback checks (#33473)	2026-05-29 13:30:17 +10:00
web_tools.py	fix(web): ensure plugin discovery before web_*_tool registry lookups	2026-05-29 04:00:00 -07:00
website_policy.py	chore(web): remove web_crawl tool + provider crawl plumbing (#33824)	2026-05-28 04:52:42 -07:00
x_search_tool.py	chore: prune unused imports and duplicate import redefinitions	2026-05-28 22:26:25 -07:00
xai_http.py	feat(web): add xAI Web Search provider plugin	2026-05-19 19:27:34 -07:00
yuanbao_tools.py	Fix unsafe gateway media path delivery	2026-05-23 01:40:35 -07:00