mirrors/hermes-agent
1
0
Fork 0
mirror of https://github.com/NousResearch/hermes-agent.git synced 2026-04-25 00:51:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
hermes-agent/web/src/lib
History
Teknium 99bcc2de5b
fix(security): harden dashboard API against unauthenticated access (#9800) 
Addresses responsible disclosure from FuzzMind Security Lab (CVE pending).

The web dashboard API server had 36 endpoints, of which only 5 checked
the session token. The token itself was served from an unauthenticated
GET /api/auth/session-token endpoint, rendering the protection circular.
When bound to 0.0.0.0 (--host flag), all API keys, config, and cron
management were accessible to any machine on the network.

Changes:
- Add auth middleware requiring session token on ALL /api/ routes except
  a small public whitelist (status, config/defaults, config/schema,
  model/info)
- Remove GET /api/auth/session-token endpoint entirely; inject the token
  into index.html via a <script> tag at serve time instead
- Replace all inline token comparisons (!=) with hmac.compare_digest()
  to prevent timing side-channel attacks
- Block non-localhost binding by default; require --insecure flag to
  override (with warning log)
- Update frontend fetchJSON() to send Authorization header on all
  requests using the injected window.__HERMES_SESSION_TOKEN__

Credit: Callum (@0xca1x) and @migraine-sudo at FuzzMind Security Lab
2026-04-14 10:57:56 -07:00
..
api.ts fix(security): harden dashboard API against unauthenticated access (#9800) 2026-04-14 10:57:56 -07:00
format.ts feat(web): add context window support to dashboard config 2026-04-13 22:04:35 -07:00
nested.ts feat: web UI dashboard for managing Hermes Agent (#8756) 2026-04-12 22:26:28 -07:00
utils.ts feat: web UI dashboard for managing Hermes Agent (#8756) 2026-04-12 22:26:28 -07:00