x/vulndb: potential Go vuln in github.com/hashicorp-forge/hermes: GHSA-vxm9-8mfw-vc6g

[GoVulnBot]

Advisory GHSA-vxm9-8mfw-vc6g references a vulnerability in the following Go modules:

Module
github.com/hashicorp-forge/hermes

Description:
Hermes versions up to 0.4.0 improperly validated the JWT provided when using the AWS ALB authentication mode, potentially allowing for authentication bypass. This vulnerability, CVE-2025-1293, was fixed in Hermes 0.5.0.

References:

• ADVISORY: GHSA-vxm9-8mfw-vc6g
• ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2025-1293
• FIX: hashicorp-forge/hermes@e36d479
• WEB: https://discuss.hashicorp.com/t/hcsec-2025-03-hashicorp-hermes-improperly-validates-aws-alb-jwts-which-may-lead-to-authentication-bypass/73371

No existing reports found with this module or alias.
See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/hashicorp-forge/hermes
      versions:
        - fixed: 0.5.0
      vulnerable_at: 0.4.0
summary: Hermes improperly validates a JWT in github.com/hashicorp-forge/hermes
cves:
    - CVE-2025-1293
ghsas:
    - GHSA-vxm9-8mfw-vc6g
references:
    - advisory: https://github.com/advisories/GHSA-vxm9-8mfw-vc6g
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-1293
    - fix: https://github.com/hashicorp-forge/hermes/commit/e36d479616099bd0c8dfde6786ea671f112d9106
    - web: https://discuss.hashicorp.com/t/hcsec-2025-03-hashicorp-hermes-improperly-validates-aws-alb-jwts-which-may-lead-to-authentication-bypass/73371
source:
    id: GHSA-vxm9-8mfw-vc6g
    created: 2025-02-20T21:01:27.501261476Z
review_status: UNREVIEWED