Home > Vulnerability Database > CVE-2025-1293

Mend.io Vulnerability Database

CVE-2025-1293

Good to know:

Date: February 19, 2025

Hermes versions up to 0.4.0 improperly validated the JWT provided when using the AWS ALB authentication mode, potentially allowing for authentication bypass. This vulnerability, CVE-2025-1293, was fixed in Hermes 0.5.0.

Severity Score

8.2

Related Resources (6)

Url: https://discuss.hashicorp.com/t/hcsec-2025-03-hashicorp-hermes-improperly-validates-aws-alb-jwts-which-may-lead-to-authentication-bypass/73371

Url: https://github.com/hashicorp-forge/hermes

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-1293

Url: https://github.com/advisories/GHSA-vxm9-8mfw-vc6g

Url: https://github.com/hashicorp-forge/hermes/commit/e36d479616099bd0c8dfde6786ea671f112d9106

Url: https://www.mend.io/vulnerability-database/CVE-2025-1293

Severity Score

8.2

Weakness Type (CWE)

Weak Authentication

CWE-1390

Top Fix

Upgrade Version

Upgrade to version github.com/hashicorp-forge/hermes - v0.5.0

Learn More

CVSS v3.1

Base Score:	8.2
Attack Vector (AV):	ADJACENT_NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	CHANGED
Confidentiality (C):	HIGH
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2025-1293

Good to know:

Date: February 19, 2025

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?