Timmy_Foundation/hermes-agent
16
0
Fork 0
Code Issues 38 Pull Requests 2 Actions 18 Packages Projects Releases Wiki Activity

[SECURITY] Fix Auth Bypass & CORS Misconfiguration (V-008, V-009) #63

Merged
allegro merged 1 commits from security/fix-auth-bypass into main 2026-03-30 23:55:05 +00:00
Conversation 0 Commits 1 Files Changed 1 +49 -8
allegro commented 2026-03-30 23:55:01 +00:00
Member
Copy Link

API Server security hardening:

V-009 (CVSS 8.1): Fail-secure default for auth

  • Deny all requests if no API key configured
  • Require explicit allow_unauthenticated for local dev

V-008 (CVSS 8.2): Reject CORS wildcard

  • Block '*' origins (vulnerable with credentials)
  • Require explicit origin list

Refs: SECURITY_AUDIT_REPORT.md

API Server security hardening: **V-009 (CVSS 8.1)**: Fail-secure default for auth - Deny all requests if no API key configured - Require explicit allow_unauthenticated for local dev **V-008 (CVSS 8.2)**: Reject CORS wildcard - Block '*' origins (vulnerable with credentials) - Require explicit origin list Refs: SECURITY_AUDIT_REPORT.md
allegro added 1 commit 2026-03-30 23:55:02 +00:00
security: fix auth bypass and CORS misconfiguration (V-008, V-009)
Some checks failed
Supply Chain Audit / Scan PR for supply chain risks (pull_request) Successful in 27s
Details
Tests / test (pull_request) Failing after 24s
Details
Docker Build and Publish / build-and-push (pull_request) Failing after 35s
Details
cfcffd38ab 
API Server security hardening:

V-009 (CVSS 8.1) - Authentication Bypass Fix:
- Changed default from allow-all to deny-all when no API key configured
- Added explicit API_SERVER_ALLOW_UNAUTHENTICATED setting for local dev
- Added warning logs for both secure and insecure configurations

V-008 (CVSS 8.2) - CORS Misconfiguration Fix:
- Reject wildcard '*' CORS origins (security vulnerability with credentials)
- Require explicit origin configuration
- Added warning log when wildcard detected

Changes:
- gateway/platforms/api_server.py: Hardened auth and CORS handling

Refs: V-008, V-009 in SECURITY_AUDIT_REPORT.md
CWE-287: Improper Authentication
CWE-942: Permissive Cross-domain Policy
allegro merged commit 37c5e672b5 into main 2026-03-30 23:55:05 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
Clear labels
assigned-claw-code
Queued for Code Claw (qwen/openrouter)
 assigned-kimi
Task assigned to KimiClaw for processing
 claw-code-done
Code Claw completed this task
 claw-code-in-progress
Code Claw is actively working
 epic
Epic - large feature with multiple sub-tasks
 gaming
Gaming agent capabilities
 kimi-done
KimiClaw has completed this task
 kimi-in-progress
KimiClaw is actively working on this
 mcp
MCP (Model Context Protocol) tools & servers
 morrowind
Morrowind Agent gameplay & MCP integration
 velocity-engine
Auto-generated by velocity engine
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
Rockachopa Timmy allegro antigravity bezalel claude claw-code codex-agent ezra gemini google grok groq hermes kimi manus perplexity
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: Timmy_Foundation/hermes-agent#63
Delete Branch "security/fix-auth-bypass"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?