Timmy_Foundation/hermes-agent
16
0
Fork 0
Code Issues 67 Pull Requests 3 Actions 8 Packages Projects Releases Wiki Activity

[SECURITY] Block Dangerous Docker Volume Mounts (V-012, CVSS 8.7) #64

Merged
allegro merged 1 commits from security/fix-docker-privilege into main 2026-03-30 23:55:51 +00:00
Conversation 0 Commits 1 Files Changed 1 +29

1 Commits

Author SHA1 Message Date
Allegro
ed32487cbe security: block dangerous Docker volume mounts (V-012, CVSS 8.7)
Some checks failed
Supply Chain Audit / Scan PR for supply chain risks (pull_request) Successful in 28s
Details
Tests / test (pull_request) Failing after 29s
Details
Docker Build and Publish / build-and-push (pull_request) Failing after 42s
Details 
Prevent privilege escalation via Docker socket mount.

Changes:
- tools/environments/docker.py: Add _is_dangerous_volume() validation
- Block docker.sock, /proc, /sys, /dev, root fs mounts
- Log security error when dangerous volume detected

Fixes container escape vulnerability where user-configured volumes
could mount Docker socket for host compromise.

CVSS: 8.7 (High)
Refs: V-012 in SECURITY_AUDIT_REPORT.md
CWE-250: Execution with Unnecessary Privileges
 2026-03-30 23:55:45 +00:00