VDB
GO-2025-3475
GO-2025-3475
PUBLISHED
Hermes improperly validates a JWT in github.com/hashicorp-forge/hermes
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| github.com | hashicorp-forge/hermes | 0, 0 |
Timeline
- Mar 3, 2025 CVE Published
- Mar 3, 2026 CVE Updated
- May 1, 2026 Security Advisory
References
- https://github.com/advisories/GHSA-vxm9-8mfw-vc6g advisory
- https://nvd.nist.gov/vuln/detail/CVE-2025-1293 advisory
- https://github.com/hashicorp-forge/hermes/commit/e36d479616099bd0c8dfde6786ea671f112d9106 patch
- https://discuss.hashicorp.com/t/hcsec-2025-03-hashicorp-hermes-improperly-validates-aws-alb-jwts-which-may-lead-to-authentication-bypass/73371 url