CVE-2025-1293 - How Weak JWT Validation in Hermes (<=.4.) Let Attackers Slip Past AWS ALB Authentication

In the world of cloud-native services, security issues can quickly ripple out and create huge risks for organizations. One such issue was discovered in Hermes—an open-source reverse proxy—where versions up to and including .4. didn’t properly check the authenticity of JSON Web Tokens (JWTs) when AWS Application Load Balancer (ALB) authentication was enabled. This bug, now officially tracked as CVE-2025-1293, enabled attackers to bypass authentication completely. Let’s break down what happened, why it was so serious, and how it’s now fixed in Hermes .5..

What Is Hermes?

Hermes is a lightweight reverse proxy built for modern cloud-native environments. It’s especially popular due to its support for AWS-native authentication methods like ALB authentication, making it a go-to choice for teams running containerized workloads in AWS.

GitHub repo: https://github.com/hermes-proxy/hermes

The Vulnerability: Improper JWT Validation

JWTs (JSON Web Tokens) are the backbone of modern, stateless authentication. In secure systems, servers must validate these tokens—in particular, checking the signature to make sure nobody has tampered with or forged a token.

Prior to version .5., Hermes’ AWS ALB authentication mode simply accepted any JWT provided by the user at face value without verifying its signature or claims. This severe oversight meant that attackers could craft a fake JWT with arbitrary content, present it to Hermes, and waltz right past authentication—even if they had no real credentials.

References

- Hermes Release .5. Changelog
- Original CVE entry

Example: How the Bypass Works

Let’s look at a simplified example of what went wrong.

Suppose an attacker wants to access a protected endpoint behind Hermes. Normally, they’d need a valid JWT issued by AWS Cognito or another trusted provider. But with Hermes <=.4., the following fake JWT would pass:

// This JWT has a harmless payload and an invalid (unsigned) signature
const fakeJwt = [
  btoa('{"alg":"none","typ":"JWT"}'), // header
  btoa('{"sub":"attacker","aud":"your-service","exp":9999999999}'), // payload
  "" // no signature at all
].join('.');

All the attacker has to do is send a request like

GET /protected HTTP/1.1
Host: your-hermes-proxy.com
Authorization: Bearer <fakeJwt>

Result: Hermes happily accepts the token and forwards the request to the backend service. Authentication has been bypassed.

Here’s a snippet illustrating the flawed logic

// Vulnerable Hermes version example (pseudo-Go)
func ValidateToken(token string) bool {
    // Should verify signature, but this just decodes payload
    payload, err := base64Decode(strings.Split(token, ".")[1])
    if err == nil && payload["exp"] > now() {
        return true // BAD: No signature check!
    }
    return false
}

Why Is This Bad?

JWTs exist to prove that the user is really who they say they are. If you don’t verify the JWT’s signature, anyone can make a token. This turns authentication into a mere *suggestion*.

For users of Hermes <=.4. with AWS ALB auth enabled

- Any unauthenticated attacker can access internal apps/services.
- Security relies only on the attacker’s ability to construct a JWT, which any tool or online generator can do.

Any claims, such as admin roles, can be forged.

Bottom Line: ALB authentication in these Hermes versions is equivalent to having *no authentication at all*.

Fix: How Hermes .5. Solved the Problem

In version .5., Hermes now correctly validates JWT signatures according to the configured AWS ALB public keys. Tokens are only accepted if the cryptographic signature matches, and standard JWT claims like exp are properly enforced.

Relevant patch

- JWT Verification in Hermes .5.

Fixed validation logic

func ValidateToken(token string) bool {
    // Use proper JWT library to verify the full token using the public key
    verified, err := jwtLibrary.Verify(token, awsALBPublicKey)
    return verified && err == nil
}

How to Protect Yourself

1. Upgrade Hermes ASAP. Use version .5. or newer. Previous versions are unsafe if you rely on AWS ALB authentication.
2. Audit your infrastructure for any old Hermes deployments, especially ones routing sensitive traffic.

Further Reading

- Hermes documentation
- JWT Best Practices
- Amazon ALB Authentication

Conclusion

CVE-2025-1293 is a textbook example of why careful JWT validation is critical in all layers of your stack—not just in your app, but in your proxies too. If you use Hermes with AWS ALB auth, upgrade now to .5. or later. Security is only as strong as your weakest link!


*Original research for this post. Please let others know if your organization or friends use Hermes in any AWS-native setups!*

Timeline

Published on: 02/20/2025 01:15:09 UTC