Listen to this Post
The vulnerability stems from how the `hermes` command-line tool, used for automating software publication, handles the `-O` argument. In versions 0.8.1 up to (but not including) 0.9.1, the tool accepts arbitrary key-value pairs via this `-O` flag for various subcommands. The flaw lies in the logging mechanism, which writes these arguments to the log file in their raw, unredacted form. Consequently, if a user passes sensitive information—such as an API token or secret—through the `-O` argument (e.g., hermes deposit -O invenio_rdm.auth_token SECRET), that secret is written to `hermes.log` in plain text. This exposes the credential to any user or process with read access to the log file, which could be other local users on a shared system, or individuals with access to CI/CD logs if the tool is run in such an environment. The issue is rooted in the logging function defined in `cli.py` that does not sanitize the input before writing. The fix, implemented in version 0.9.1, involves masking all values passed via the `-O` argument in the logs .
Platform: softwarepub hermes
Version: 0.8.1 to 0.9.0
Vulnerability : Sensitive info exposure
Severity: MEDIUM (5.9 CVSS)
date: 2026-01-12
Prediction: Patched in 0.9.1
What Undercode Say:
Analysis:
The vulnerability is a classic case of CWE-532: Insertion of Sensitive Information into Log File. It requires local access to the log files and user interaction (passing a secret via the command line). The CVSS vector (CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N) indicates a high integrity impact because an exposed token could be used to modify software publications or access restricted resources .
Detection and Remediation Commands:
1. Check your current version of hermes hermes --version 2. Search existing logs for exposed secrets (e.g., API tokens) grep -iE "(auth_token|api_key|secret|password)" /path/to/hermes.log 3. If vulnerable, rotate all potentially exposed secrets immediately. Example for InvenioRDM token (hypothetical command) invenio tokens revoke --name my-publishing-token 4. Securely wipe or truncate the log file containing secrets (if no longer needed for debugging) Be careful with regulatory compliance (log retention policies) sudo shred -u /path/to/hermes.log Or create a new empty log file sudo truncate -s 0 /path/to/hermes.log 5. Set strict permissions on the log directory to prevent unauthorized access sudo chmod 750 /var/log/hermes sudo chown root:hermes-users /var/log/hermes/hermes.log sudo chmod 640 /var/log/hermes/hermes.log 6. Upgrade to the patched version pip install --upgrade hermes>=0.9.1 or, if installed via another method, use the appropriate package manager.
How Exploit:
- Victim Action: A user with publishing privileges runs a command to deposit software, including their secret token:
`hermes deposit -O invenio_rdm.auth_token my_super_secret_123`
- Logging: The `hermes` application, in its default logging routine, writes the full command or the parsed `-O` options to a log file (e.g.,
hermes.log). The line in the log appears as: `[2026-03-08 10:00:00] INFO: Running deposit with options: {‘invenio_rdm.auth_token’: ‘my_super_secret_123’}`
3. Attacker Access: An attacker with local access to the machine (or access to a log aggregation service where the log is stored) reads the log file. - Credential Theft: The attacker searches for patterns like `auth_token` or `secret` and extracts the plain-text value
my_super_secret_123. - Lateral Movement/Impact: The attacker now uses the stolen token to authenticate as the victim to the InvenioRDM instance, potentially uploading malicious software or altering existing records.
Protection from this CVE:
Immediate Patch: Upgrade to `hermes` version 0.9.1 or later, where the values passed via `-O` are masked in logs .
Use Environment Variables: Avoid passing secrets directly in commands. Configure the tool to read secrets from environment variables or secure configuration files.
export INVENIO_RDM_AUTH_TOKEN="my_super_secret_123" hermes deposit Tool modified to read from env var
Strict Log Permissions: Implement the principle of least privilege on log files. Ensure only necessary users/processes have read access.
Log Sanitization: If using a centralized logging system, implement rules to redact patterns that look like secrets (e.g., UUIDs, long strings) before storage.
Audit Commands: Regularly audit shell histories and CI/CD scripts to ensure secrets are not being passed as inline arguments.
Impact:
Confidentiality Breach: Sensitive API tokens, passwords, and keys are exposed in plain text.
Account Takeover: Attackers can use exposed tokens to gain unauthorized access to external services (like InvenioRDM, Zenodo, etc.) .
Data Integrity Compromise: With a valid token, an attacker could modify, delete, or publish fraudulent software packages, undermining the trust in the software supply chain .
Lateral Movement: Exposed credentials might be reused across different services, allowing an attacker to broaden their access within an organization’s infrastructure.
Compliance Violations: Exposure of secrets can lead to violations of data protection regulations (e.g., GDPR, HIPAA) if the compromised service handles personal data .
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

