An authenticated remote code execution vulnerability in Hermes WebUI allows attackers to execute arbitrary commands by manipulating Git configuration files in workspace repositories.

The vulnerability exists in api/workspace_git.py, where Git subprocess invocations fail to properly sanitize input. An authenticated attacker can exploit this by placing a malicious executable Git configuration (e.g., core.fsmonitor or credential.helper) within a workspace repository's .git/config file.

With a CVSS score of 8.8, this vulnerability allows an attacker with valid user credentials to gain full control over the underlying server hosting the WebUI. This could lead to unauthorized data access, lateral movement within the network, and complete compromise of the application environment.

Immediate Action: Update Hermes WebUI to version 0.51.311 or higher immediately.

Proactive Monitoring: Review access logs for unusual Git command executions or unauthorized modifications to repository configuration files.

Compensating Controls: Implement strict file permission controls on repository directories and restrict access to the WebUI to authorized personnel only.

Public Exploit Available: false

All organizations running Hermes WebUI must upgrade to the latest version immediately. Because this vulnerability allows for code execution, it is imperative to ensure that only trusted users have access to the platform until the patch is applied.