CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-1293: HashiCorp Hermes Improperly Validates AWS ALB JWTs, which May Lead to Authentication Bypass

8.2 CVSS

Description

Hermes versions up to 0.4.0 improperly validated the JWT provided when using the AWS ALB authentication mode, potentially allowing for authentication bypass. This vulnerability, CVE-2025-1293, was fixed in Hermes 0.5.0.

Classification

CVE ID: CVE-2025-1293

CVSS Base Severity: HIGH

CVSS Base Score: 8.2

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N

Affected Products

Vendor: HashiCorp

Product: Tooling

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.02% (probability of being exploited)

EPSS Percentile: 3.78% (scored less or equal to compared to others)

EPSS Date: 2025-03-21 (when was this score calculated)

References

https://discuss.hashicorp.com/t/hcsec-2025-03-hashicorp-hermes-improperly-validates-aws-alb-jwts-which-may-lead-to-authentication-bypass/73371

Timeline

2025-02-20 21:15:50 UTC
Github Advisory Database (Go)

[github.com/hashicorp-forge/hermes] Hermes improperly validates a JWT
2025-02-21 00:25:35 UTC
CVE

HashiCorp Hermes Improperly Validates AWS ALB JWTs, which May Lead to Authentication Bypass