Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (VulnCheck) · only source for this CVE.
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Hermes WebUI before version 0.51.270 contains a resource exhaustion vulnerability that allows unauthenticated remote attackers to degrade service availability by repeatedly calling the passkey options endpoint without completing assertion. Attackers can send unlimited POST requests to the authentication endpoint, causing unbounded growth of the challenge store file and excessive CPU and disk I/O through repeated JSON file rewrites.
AnalysisAI
Resource exhaustion in Hermes WebUI before v0.51.270 allows unauthenticated remote attackers to degrade service availability by abusing the WebAuthn passkey options endpoint without rate limiting or challenge lifecycle enforcement. Repeated POST requests to the authentication endpoint cause the server-side challenge store file to grow without bound, generating sustained CPU load and disk I/O pressure through continuous JSON file rewrites. No public exploit identified at time of analysis and not listed in CISA KEV; EPSS data was not available in provided intelligence. The fix is confirmed in the vendor-released v0.51.270.
Technical ContextAI
The affected component is the passkey (WebAuthn/FIDO2) authentication flow in Hermes WebUI, a web-based interface developed by nesquena (CPE: cpe:2.3:a:nesquena:hermes-webui:*:*:*:*:*:*:*:*). During a standard WebAuthn assertion, the server generates a cryptographic challenge and temporarily stores it pending client completion. In vulnerable versions before 0.51.270, the server neither enforces challenge expiration nor limits how many pending challenges a single caller may accumulate. Challenges are persisted to a flat JSON file; each new challenge triggers a full read-modify-write cycle of that file, meaning throughput scales linearly with request rate. CWE-770 (Allocation of Resources Without Limits or Throttling) is the root cause class - the application allocates storage and I/O resources on demand for each incoming request without any bounding mechanism, making the resource pool exploitable by any client that can reach the endpoint.
RemediationAI
Upgrade Hermes WebUI to v0.51.270, the vendor-released patch confirmed at https://github.com/nesquena/hermes-webui/releases/tag/v0.51.270 and implemented via commit 58528a4d88b0fa4f7b822e31d6051c669769bd3b (https://github.com/nesquena/hermes-webui/commit/58528a4d88b0fa4f7b822e31d6051c669769bd3b). If immediate upgrade is not possible, operators should place a reverse proxy or WAF in front of Hermes WebUI configured to rate-limit POST requests to the passkey options endpoint (e.g., restrict to a maximum of N requests per source IP per minute); note that aggressive rate limits may affect legitimate high-concurrency login flows. Alternatively, disabling the passkey authentication feature entirely removes the attack surface, with the trade-off of losing WebAuthn login capability for all users. Blocking unauthenticated external access to the authentication endpoints via network controls is a further compensating measure for deployments not requiring internet-facing passkey enrollment.
More in Hermes Webui
View allUnauthenticated remote code execution in Hermes WebUI before version 0.51.788 lets remote attackers run arbitrary shell
Authentication bypass in Hermes WebUI before 0.51.307 lets unauthenticated remote attackers reach onboarding endpoints t
Authentication bypass in Hermes WebUI before 0.51.409 allows unauthenticated remote attackers to register the first pass
Unauthenticated initial-setup hijack in Hermes WebUI before 0.51.358 allows any remote attacker who can reach the settin
Cross-profile authorization bypass in Hermes WebUI before 0.51.368 allows authenticated users to access sessions, files,
Hermes WebUI contains an arbitrary file deletion vulnerability in the /api/session/delete endpoint that allows authentic
Information disclosure in Hermes WebUI before v0.51.221 allows authenticated remote attackers to read arbitrary files ou
Cross-profile data disclosure in Hermes WebUI before 0.51.269 allows authenticated users to read session titles and tran
Cross-profile session data exfiltration in Hermes WebUI before 0.51.443 lets any authenticated user retrieve session tra
Cross-profile session disclosure in Hermes WebUI before 0.51.443 lets any authenticated user retrieve conversation trans
Resource exhaustion in Hermes WebUI before 0.51.468 exposes an unauthenticated POST /api/onboarding/oauth/start endpoint
Cross-profile workspace isolation bypass in Hermes WebUI before 0.51.521 allows an authenticated low-privilege user oper
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35494
GHSA-wwx5-jq7h-rp7v