Thunze

**Name of the Vulnerable Software and Affected Versions** hermes versions 0.8.1 through 0.9.0 **Description** hermes, a software publication automation workflow, exhibits a flaw where subcommands accept arbitrary options through the `-O` argument. Providing sensitive data, such as API tokens (e.g., via `hermes deposit -O invenio rdm.auth token SECRET`), results in the data being written to log files in plain text. This exposes the information to anyone with access to these log files. The `-O` argument is used to pass options to subcommands. The `invenio rdm.auth token` variable is an example of a sensitive data element. **Recommendations** Upgrade to version 0.9.1 or later.