CVE-2025-1293 – CVE-2025-1293 is an authentication bypass vulne... (How to Fix)

📋 TL;DR

CVE-2025-1293 is an authentication bypass vulnerability in Hermes versions up to 0.4.0 that improperly validates AWS ALB JWTs, potentially allowing unauthorized access to protected resources. Organizations using Hermes with AWS ALB authentication mode are affected. The vulnerability was fixed in Hermes 0.5.0.

💻 Affected Systems

Products:

Hashicorp Hermes

Versions: All versions up to and including 0.4.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects deployments using AWS ALB authentication mode

📦 What is this software?

Hermes by Hashicorp

View all CVEs affecting Hermes →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could gain unauthorized administrative access to Hermes instances, potentially compromising sensitive documents and user data.

🟠

Likely Case

Unauthorized users bypass authentication to access protected documents and resources they shouldn't have access to.

🟢

If Mitigated

With proper network segmentation and access controls, impact is limited to the Hermes application layer only.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires knowledge of AWS ALB JWT structure and ability to craft malicious tokens

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Hermes 0.5.0

Vendor Advisory: https://discuss.hashicorp.com/t/hcsec-2025-03-hashicorp-hermes-improperly-validates-aws-alb-jwts-which-may-lead-to-authentication-bypass/73371

Restart Required: No

Instructions:

1. Upgrade Hermes to version 0.5.0 or later
2. Verify the upgrade completed successfully
3. Test authentication functionality

🔧 Temporary Workarounds

Disable AWS ALB Authentication

all

Temporarily disable AWS ALB authentication mode until patching can be completed

Implement Additional Authentication Layer

all

Add network-level authentication or web application firewall rules to validate JWT tokens

🧯 If You Can't Patch

Implement strict network segmentation to isolate Hermes instances
Enable detailed logging and monitoring for authentication attempts

🔍 How to Verify

Check if Vulnerable:

Check Hermes version and verify if AWS ALB authentication is enabled

Check Version:

hermes --version

Verify Fix Applied:

Verify Hermes version is 0.5.0 or later and test authentication with valid/invalid JWTs

📡 Detection & Monitoring

Log Indicators:

Failed JWT validation attempts
Unusual authentication patterns
Access from unexpected IP addresses

Network Indicators:

Unusual traffic patterns to Hermes authentication endpoints
Suspicious JWT token structures

SIEM Query:

source="hermes" AND (event="authentication_failure" OR event="jwt_validation_error")

📊 Metadata

CVE ID: CVE-2025-1293

CVSS v3 Score: 8.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N

CWE: CWE-1390

EPSS Score: 0.16% exploit probability (36.6th percentile)

Published: February 20, 2025

Last Updated: December 18, 2025

🔗 References

https://discuss.hashicorp.com/t/hcsec-2025-03-hashicorp-hermes-improperly-validates-aws-alb-jwts-which-may-lead-to-authentication-bypass/73371 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-1293, you might also want to check these: