HCSEC-2025-03

**Bulletin ID:** HCSEC-2025-03 **Affected Products / Versions:** HashiCorp Hermes up to 0.4.0, fixed in Hermes 0.5.0. **Publication Date:** Feb 19, 2025 **Summary** Hermes versions up to 0.4.0 improperly validated the JWT provided when using the AWS ALB authentication mode, potentially allowing for authentication bypass. This vulnerability, CVE-2025-1293, was fixed in Hermes 0.5.0. **Background** [Hermes](https://github.com/hashicorp-forge/hermes) is a document management system created by HashiCorp, and published as an experimental product under the hashicorp-forge Github organization. Hermes may be configured to use an AWS ALB for authentication. **Details** Hermes did not properly validate the JWT from the load balancer when using the AWS ALB authentication strategy, potentially allowing a party with direct access to the Hermes application server to bypass authentication controls. This insecure pattern is known as the “ALBeast” vulnerability. **Remediation** Customers using Hermes should evaluate the risk and consider upgrading to Hermes version 0.5.0 or newer. **Acknowledgement** This issue was identified by Liad Eliyahu of Miggo. *We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see [https://hashicorp.com/security](https://hashicorp.com/security).*