Executive Summary

CVE-2026-49955 is a resource exhaustion vulnerability in Hermes WebUI versions before 0.51.270. It allows unauthenticated remote attackers to degrade service availability by repeatedly sending POST requests to the passkey options endpoint without completing the authentication process.

This repeated calling causes unbounded growth of the challenge store file, which is a JSON file that tracks pending WebAuthn challenges. The continuous growth leads to excessive CPU and disk I/O due to repeated rewrites of this file, ultimately degrading the system's login availability.

Attempts to fix this issue introduced caps on pending challenges and rate limiting, but flaws in the implementation allow attackers to bypass some limits, making the global cap the only effective backstop. The vulnerability is classified under CWE-770 (Allocation of Resources Without Limits or Throttling).

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing attackers to degrade or deny service availability of the Hermes WebUI authentication system.

Attackers can send unlimited POST requests to the passkey options endpoint, causing the system to consume excessive CPU and disk resources due to unbounded growth of the challenge store file.

As a result, legitimate users may experience degraded login availability or complete denial of service, preventing them from authenticating successfully.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring unusual or excessive POST requests to the passkey options authentication endpoint of Hermes WebUI. Specifically, look for repeated unauthenticated POST requests that cause unbounded growth of the .passkey_challenges.json file and increased CPU and disk I/O usage.

To detect this on your system, you can monitor network traffic for repeated POST requests to the relevant endpoint and check the size and growth rate of the challenge store file.

• Use network monitoring tools (e.g., tcpdump, Wireshark) to filter POST requests to the passkey options endpoint.
• Example tcpdump command to capture POST requests to the passkey options endpoint (adjust IP and port accordingly): tcpdump -i any -A 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'POST /path/to/passkey/options'
• Monitor the size of the .passkey_challenges.json file on the server filesystem to detect unbounded growth, e.g., using: watch -n 5 ls -lh /path/to/.passkey_challenges.json
• Check system CPU and disk I/O usage for spikes that correlate with increased POST requests, using tools like top, htop, iotop, or sar.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include upgrading Hermes WebUI to version 0.51.270 or later, which contains fixes to limit the growth of pending passkey challenges and prevent resource exhaustion.

The fixes in the updated version implement global caps on pending challenges, process-local locks to prevent race conditions, and an eviction mechanism that removes the oldest challenges instead of rejecting new requests, reducing the risk of denial-of-service.

If upgrading immediately is not possible, consider implementing network-level rate limiting or firewall rules to restrict the number of POST requests to the passkey options endpoint from unauthenticated sources.

• Upgrade Hermes WebUI to version 0.51.270 or later.
• Apply network rate limiting on the passkey options endpoint to limit repeated unauthenticated POST requests.
• Monitor and alert on abnormal growth of the .passkey_challenges.json file and high CPU/disk I/O usage.

Useful 0 Not Useful 0

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0