Summary
Gateway pairing codes in gateway/pairing.py (lines ~181-186) are stored as plaintext keys in {platform}-pending.json files. Although the files have 0o600 permissions and codes expire after 1 hour, any process running as the same user (including the code execution sandbox) can read pending pairing codes.
Impact
In a shared-user environment or if the code execution sandbox is compromised (see PYTHONPATH issue), an attacker can:
- Read pending pairing codes from
~/.hermes/{platform}-pending.json
- Auto-approve their own access to the messaging gateway
- Gain full control of the agent's messaging capabilities
Suggested Fix
Store codes as salted hashes (bcrypt/scrypt) instead of plaintext. Verification compares the hash; the plaintext code is only shown to the user once at generation time:
import bcrypt
def store_pairing_code(code: str) -> str:
return bcrypt.hashpw(code.encode(), bcrypt.gensalt()).decode()
def verify_pairing_code(code: str, stored_hash: str) -> bool:
return bcrypt.checkpw(code.encode(), stored_hash.encode())Severity
Warning — requires same-user access or sandbox escape to exploit.
Summary
Gateway pairing codes in
gateway/pairing.py(lines ~181-186) are stored as plaintext keys in{platform}-pending.jsonfiles. Although the files have 0o600 permissions and codes expire after 1 hour, any process running as the same user (including the code execution sandbox) can read pending pairing codes.Impact
In a shared-user environment or if the code execution sandbox is compromised (see PYTHONPATH issue), an attacker can:
~/.hermes/{platform}-pending.jsonSuggested Fix
Store codes as salted hashes (bcrypt/scrypt) instead of plaintext. Verification compares the hash; the plaintext code is only shown to the user once at generation time:
Severity
Warning — requires same-user access or sandbox escape to exploit.