CVE-2025-1293

High

Published: 20 February 2025

Published

20 February 2025

Modified

18 December 2025

KEV Added

—

Patch

—

CVSS Score 8.2 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N

EPSS Score 0.0007 20.6th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

Hermes versions up to 0.4.0 improperly validated the JWT provided when using the AWS ALB authentication mode, potentially allowing for authentication bypass. This vulnerability, CVE-2025-1293, was fixed in Hermes 0.5.0.

Security Summary

CVE-2025-1293 is a vulnerability in Hermes versions up to and including 0.4.0, where the software improperly validates JSON Web Tokens (JWTs) provided during AWS Application Load Balancer (ALB) authentication mode. This flaw, classified under CWE-1390, enables potential authentication bypass. The issue received a CVSS v3.1 base score of 8.2 (AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N) and was publicly disclosed on 2025-02-20.

Attackers positioned on an adjacent network can exploit this vulnerability with low attack complexity and no required privileges or user interaction. Exploitation changes the scope to high, granting unauthorized access that results in high confidentiality impact—such as reading sensitive data protected by Hermes—along with low integrity impact and no availability disruption.

HashiCorp addressed CVE-2025-1293 in Hermes version 0.5.0. Additional details on the improper JWT validation and remediation steps are available in the vendor's security advisory at https://discuss.hashicorp.com/t/hcsec-2025-03-hashicorp-hermes-improperly-validates-aws-alb-jwts-which-may-lead-to-authentication-bypass/73371.

Details

CWE(s): CWE-1390

Affected Products

hashicorp

hermes

≤ 0.5.0

References

https://discuss.hashicorp.com/t/hcsec-2025-03-hashicorp-hermes-improperly-validates-aws-alb-jwts-which-may-lead-to-authentication-bypass/73371
Vendor Advisory · security@hashicorp.com