CVE-2025-1293

High

Published: 20 February 2025

Published

20 February 2025

Modified

18 December 2025

KEV Added

—

Patch

—

CVSS Score 8.2 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N

EPSS Score 0.0007 20.6th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-1293 is a high-severity Weak Authentication (CWE-1390) vulnerability in Hashicorp Hermes. Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique External Remote Services (T1133); ranked at the 20.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to External Remote Services (T1133). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the improper JWT validation flaw by requiring timely identification, reporting, and patching to Hermes version 0.5.0.

SI-10 Information Input Validation good match

prevent

Requires validation of information inputs, such as JWTs in AWS ALB authentication mode, to prevent authentication bypass from improper validation.

IA-5 Authenticator Management partial match

prevent

Mandates secure management and verification of authenticators like JWTs to mitigate risks of improper validation leading to unauthorized access.

MITRE ATT&CK Enterprise TechniquesAI

T1133 External Remote Services Persistence

Adversaries may leverage external-facing remote services to initially access and/or persist within a network.

attack.mitre.org →

Why these techniques?

Improper JWT validation enables authentication bypass against an AWS ALB-protected remote service, directly facilitating Initial Access via External Remote Services.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

Hermes versions up to 0.4.0 improperly validated the JWT provided when using the AWS ALB authentication mode, potentially allowing for authentication bypass. This vulnerability, CVE-2025-1293, was fixed in Hermes 0.5.0.

Deeper analysisAI

CVE-2025-1293 is a vulnerability in Hermes versions up to and including 0.4.0, where the software improperly validates JSON Web Tokens (JWTs) provided during AWS Application Load Balancer (ALB) authentication mode. This flaw, classified under CWE-1390, enables potential authentication bypass. The issue received a CVSS v3.1 base score of 8.2 (AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N) and was publicly disclosed on 2025-02-20.

Attackers positioned on an adjacent network can exploit this vulnerability with low attack complexity and no required privileges or user interaction. Exploitation changes the scope to high, granting unauthorized access that results in high confidentiality impact—such as reading sensitive data protected by Hermes—along with low integrity impact and no availability disruption.

HashiCorp addressed CVE-2025-1293 in Hermes version 0.5.0. Additional details on the improper JWT validation and remediation steps are available in the vendor's security advisory at https://discuss.hashicorp.com/t/hcsec-2025-03-hashicorp-hermes-improperly-validates-aws-alb-jwts-which-may-lead-to-authentication-bypass/73371.

Details

CWE(s): CWE-1390

Affected Products

hashicorp

hermes

≤ 0.5.0

CVEs Like This One

CVE-2025-0377Same vendor: Hashicorp

CVE-2026-5807Same vendor: Hashicorp

CVE-2025-0937Same vendor: Hashicorp

CVE-2026-3605Same vendor: Hashicorp

CVE-2026-5052Same vendor: Hashicorp

CVE-2026-4525Same vendor: Hashicorp

CVE-2025-6000Same vendor: Hashicorp

CVE-2025-11621Same vendor: Hashicorp

CVE-2026-4924Shared CWE-1390

CVE-2024-52541Shared CWE-1390

References

https://discuss.hashicorp.com/t/hcsec-2025-03-hashicorp-hermes-improperly-validates-aws-alb-jwts-which-may-lead-to-authentication-bypass/73371
Vendor Advisory · security@hashicorp.com