CVE-2025-1293HIGH 8.2EPSS p23.7%

CVE-2025-1293CVE-2025-1293

Description

Hermes versions up to 0.4.0 improperly validated the JWT provided when using the AWS ALB authentication mode, potentially allowing for authentication bypass. This vulnerability, CVE-2025-1293, was fixed in Hermes 0.5.0.

Scoring

CVSS 3.18.2 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
EPSS0.32% probability of exploitation · percentile 23.7% · 2026-06-19T12:03:05Z
Published2025-02-20
Last modified2025-12-18

Underlying weaknesses· 1

CWE-1390

References

  1. https://discuss.hashicorp.com/t/hcsec-2025-03-hashicorp-hermes-improperly-validates-aws-alb-jwts-which-may-lead-to-authentication-bypass/73371

1

TypeTargetConfidenceTier
WeaknessWeak Authenticationcwe-13900%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-3757
CVE
CVE-2026-49955
CVE
CVE-2026-4525
CVE
CVE-2026-11322
CVE
CVE-2025-70043
CVE
CVE-2025-45472
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.