GHSA-JM5J-JFRM-HM23

Vulnerability from github – Published: 2026-01-13 20:30 – Updated: 2026-01-13 20:30
VLAI?
Summary
hermes's raw options logging may disclose secrets passed in via subcommand options argument
Details

Thanks, @thunze for reporting this!

hermes subcommands take arbitrary options under the -O argument. These have been logged in raw form since https://github.com/softwarepub/hermes/commit/7f64f102e916c76dc44404b77ab2a80f5a4e59b1 in: https://github.com/softwarepub/hermes/blob/3a92f42b2b976fdbc2c49a621de6d665364a7cee/src/hermes/commands/cli.py#L66

If users provide sensitive data such as API tokens (e.g., via hermes deposit -O invenio_rdm.auth_token SECRET), these are written to the log file in plain text, making them available to whoever can access the log file.

Impact

As currently, hermes.log is not yet uploaded automatically as an artifact in CI, this vuln impacts:

  • local users working on shared access computers, where logs may be written to a commonly accessible file system
  • CI users whose CI logs are accessible to others, e.g., through group or organization rights

Potentially, if the changes merged from https://github.com/softwarepub/ci-templates/pull/13 are merged into ci-templates via https://github.com/softwarepub/ci-templates/pull/14, this would automate the disclosure of Invenio auth tokens at least for all CI runs against Invenio instances!

Patches

This has been patched in hermes 0.9.1 by masking all values passed using -O.

Workarounds

Upgrade to hermes >= 0.9.1.

Severity ?
5.9 (Medium)
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.9.0"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "hermes"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.8.1"
            },
            {
              "fixed": "0.9.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-22798"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-13T20:30:54Z",
    "nvd_published_at": "2026-01-12T22:16:08Z",
    "severity": "MODERATE"
  },
  "details": "Thanks, @thunze for reporting this!\n\n`hermes` subcommands take arbitrary options under the `-O` argument. These have been logged in raw form since https://github.com/softwarepub/hermes/commit/7f64f102e916c76dc44404b77ab2a80f5a4e59b1 in: https://github.com/softwarepub/hermes/blob/3a92f42b2b976fdbc2c49a621de6d665364a7cee/src/hermes/commands/cli.py#L66\n\nIf users provide sensitive data such as API tokens (e.g., via `hermes deposit -O invenio_rdm.auth_token SECRET`), these are written to the log file in plain text, making them available to whoever can access the log file.\n\n### Impact\n\nAs currently, `hermes.log` is not yet uploaded automatically as an artifact in CI, this vuln impacts:\n\n- local users working on shared access computers, where logs may be written to a commonly accessible file system\n- CI users whose CI logs are accessible to others, e.g., through group or organization rights\n\nPotentially, if the changes merged from https://github.com/softwarepub/ci-templates/pull/13 are merged into `ci-templates` via https://github.com/softwarepub/ci-templates/pull/14, this would automate the disclosure of Invenio auth tokens at least for all CI runs against Invenio instances!\n\n### Patches\n\nThis has been patched in [`hermes` 0.9.1](TODO) by masking all values passed using `-O`.\n\n### Workarounds\n\nUpgrade to `hermes` \u003e= 0.9.1.",
  "id": "GHSA-jm5j-jfrm-hm23",
  "modified": "2026-01-13T20:30:54Z",
  "published": "2026-01-13T20:30:54Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/softwarepub/hermes/security/advisories/GHSA-jm5j-jfrm-hm23"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22798"
    },
    {
      "type": "WEB",
      "url": "https://github.com/softwarepub/hermes/commit/7f64f102e916c76dc44404b77ab2a80f5a4e59b1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/softwarepub/hermes/commit/90cb86acd026e7841f2539ae7a1b284a7f263514"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/softwarepub/hermes"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "hermes\u0027s raw options logging may disclose secrets passed in via subcommand options argument"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.