Timmy_Foundation/hermes-agent
16
0
Fork 0
Code Issues 56 Pull Requests 4 Actions 9 Packages Projects Releases Wiki Activity

security: Fix V-006 MCP OAuth Deserialization (CVSS 8.8 CRITICAL) #68

Merged
allegro merged 2 commits from security/fix-mcp-oauth-deserialization into main 2026-03-31 00:39:23 +00:00
Conversation 0 Commits 2 Files Changed 11 +3224 -48

2 Commits

Author SHA1 Message Date
Allegro
cb0cf51adf security: Fix V-006 MCP OAuth Deserialization (CVSS 8.8 CRITICAL)
Some checks failed
Nix / nix (ubuntu-latest) (pull_request) Failing after 15s
Details
Supply Chain Audit / Scan PR for supply chain risks (pull_request) Failing after 19s
Details
Docker Build and Publish / build-and-push (pull_request) Failing after 28s
Details
Tests / test (pull_request) Failing after 9m43s
Details
Nix / nix (macos-latest) (pull_request) Has been cancelled
Details 
- Replace pickle with JSON + HMAC-SHA256 state serialization
- Add constant-time signature verification
- Implement replay attack protection with nonce expiration
- Add comprehensive security test suite (54 tests)
- Harden token storage with integrity verification

Resolves: V-006 (CVSS 8.8)
 2026-03-31 00:37:14 +00:00
Allegro
49097ba09e security: add atomic write utilities for TOCTOU protection (V-015)
Some checks failed
Docker Build and Publish / build-and-push (pull_request) Failing after 1m11s
Details
Supply Chain Audit / Scan PR for supply chain risks (pull_request) Successful in 33s
Details
Tests / test (pull_request) Failing after 31s
Details 
Add atomic_write.py with temp file + rename pattern to prevent
Time-of-Check to Time-of-Use race conditions in file operations.

CVSS: 7.4 (High)
Refs: V-015
CWE-367: TOCTOU Race Condition
 2026-03-31 00:08:54 +00:00