## Hermes CLI Path Traversal Vulnerability: Malicious Archives Could Overwrite System Files
A critical path traversal vulnerability in the Hermes CLI tool's profile archive extraction has been identified and patched. The flaw, a classic 'zip slip' attack vector, allowed a maliciously crafted `.tar.gz` archive to write files outside the intended destination directory. This created a direct risk where an attacker could overwrite critical system files like `/etc/passwd` or `/etc/cron.d/evil`, or inject executables into the user's `~/.hermes/` configuration directory.

The vulnerability was exploitable through two primary commands: `hermes profile import` and `hermes claw migrate`. When a user ran these commands with a received archive, a specially crafted archive could contain member files with absolute paths (e.g., `/etc/passwd`) or relative paths using directory traversal sequences (e.g., `../../etc/cron.d/evil`). The extraction process would then place these files in those unintended, often system-critical, locations, bypassing the intended containment within the Hermes profile directory.

The fix implements a robust defense-in-depth strategy. It preserves an existing normalization layer but adds a crucial second layer of validation. This new layer explicitly checks each extracted file's final resolved path against the intended safe destination directory, rejecting any path that attempts to escape. This closes the security gap, preventing the archive extraction from being used as a vector for system compromise or configuration hijacking.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: security, vulnerability, path traversal, zip slip, CVE-class
- **Credibility**: unverified
- **Published**: 2026-04-13 02:22:37
- **ID**: 61097
- **URL**: https://whisperx.ai/en/intel/61097