{"repro_id":"REPRO-2026-00193","version":54,"title":"ProFTPD ACL bypass via /proc/self/root path prefix in RNFR","repro_type":"security","status":"published","severity":"high","description":"CVE-2026-35025","root_cause":"CVE-2026-35025","cve_id":"CVE-2026-35025","cwe_id":"CWE-59 Improper Link Resolution Before File Access ('Link Following')","package":{"name":"proftpd/proftpd","ecosystem":"github","affected_versions":"ProFTPD through 1.3.9b and through 1.3.10rc2"},"reproduced_at":"2026-07-01T20:43:45.790430+00:00","duration_secs":5298.0,"tool_calls":258,"handoffs":3,"total_cost_usd":3.78716025,"agent_costs":{"coding":0.6696574599999999,"hypothesis_generator":0.034314,"judge":0.177551,"repro":1.47620486,"support":0.0774397,"vuln_variant":1.35199323},"cost_breakdown":{"coding":{"accounts/fireworks/models/kimi-k2p7-code":0.6696574599999999},"hypothesis_generator":{"accounts/fireworks/models/kimi-k2p7-code":0.034314},"judge":{"gpt-5.5":0.177551},"repro":{"accounts/fireworks/models/kimi-k2p7-code":1.47620486},"support":{"accounts/fireworks/models/kimi-k2p7-code":0.0774397},"vuln_variant":{"accounts/fireworks/models/kimi-k2p7-code":1.35199323}},"quality":{"confidence":"high","idempotent_verified":false,"community_verifications":0},"published_at":"2026-07-01T20:43:46.945234+00:00","retracted":false,"artifacts":[{"path":"bundle/repro/reproduction_steps.sh","filename":"reproduction_steps.sh","size":13194,"category":"reproduction_script"},{"path":"bundle/repro/rca_report.md","filename":"rca_report.md","size":7913,"category":"analysis"},{"path":"bundle/vuln_variant/reproduction_steps.sh","filename":"reproduction_steps.sh","size":9679,"category":"reproduction_script"},{"path":"bundle/vuln_variant/rca_report.md","filename":"rca_report.md","size":8306,"category":"analysis"},{"path":"bundle/coding/proposed_fix.diff","filename":"proposed_fix.diff","size":759,"category":"patch"},{"path":"bundle/repro/ftp-root/public/leaked.txt","filename":"leaked.txt","size":73,"category":"other"},{"path":"bundle/repro/proftpd.group","filename":"proftpd.group","size":26,"category":"other"},{"path":"bundle/repro/artifacts/ftp_exploit_output.txt","filename":"ftp_exploit_output.txt","size":4790,"category":"other"},{"path":"bundle/repro/proftpd.conf","filename":"proftpd.conf","size":1055,"category":"other"},{"path":"bundle/repro/runtime_manifest.json","filename":"runtime_manifest.json","size":754,"category":"other"},{"path":"bundle/repro/ftp_exploit.py","filename":"ftp_exploit.py","size":3836,"category":"script"},{"path":"bundle/repro/proftpd.passwd","filename":"proftpd.passwd","size":222,"category":"other"},{"path":"bundle/repro/validation_verdict.json","filename":"validation_verdict.json","size":731,"category":"other"},{"path":"bundle/ticket.json","filename":"ticket.json","size":1777,"category":"other"},{"path":"bundle/ticket.md","filename":"ticket.md","size":883,"category":"ticket"},{"path":"bundle/logs/proftpd.log","filename":"proftpd.log","size":3686,"category":"log"},{"path":"bundle/logs/reproduction_steps.log","filename":"reproduction_steps.log","size":545714,"category":"log"},{"path":"bundle/vuln_variant/variant_manifest.json","filename":"variant_manifest.json","size":2755,"category":"other"},{"path":"bundle/vuln_variant/test_dele_variant.sh","filename":"test_dele_variant.sh","size":4573,"category":"other"},{"path":"bundle/vuln_variant/runtime_manifest.json","filename":"runtime_manifest.json","size":954,"category":"other"},{"path":"bundle/vuln_variant/test_dele_patched.sh","filename":"test_dele_patched.sh","size":5234,"category":"other"},{"path":"bundle/vuln_variant/root_cause_equivalence.json","filename":"root_cause_equivalence.json","size":1631,"category":"other"},{"path":"bundle/vuln_variant/source_identity.json","filename":"source_identity.json","size":1064,"category":"other"},{"path":"bundle/vuln_variant/patch_analysis.md","filename":"patch_analysis.md","size":6071,"category":"documentation"},{"path":"bundle/vuln_variant/validation_verdict.json","filename":"validation_verdict.json","size":1023,"category":"other"},{"path":"bundle/logs/dele_variant_patched_test.log","filename":"dele_variant_patched_test.log","size":561,"category":"log"},{"path":"bundle/logs/proftpd_patched_variant.log","filename":"proftpd_patched_variant.log","size":3792,"category":"log"},{"path":"bundle/logs/proftpd_dele_patched.log","filename":"proftpd_dele_patched.log","size":3807,"category":"log"},{"path":"bundle/logs/proftpd_dele.log","filename":"proftpd_dele.log","size":3735,"category":"log"},{"path":"bundle/logs/proftpd_patched_configure.log","filename":"proftpd_patched_configure.log","size":21538,"category":"log"},{"path":"bundle/logs/proftpd_vuln_variant.log","filename":"proftpd_vuln_variant.log","size":3765,"category":"log"},{"path":"bundle/logs/proftpd_patched_build.log","filename":"proftpd_patched_build.log","size":26577,"category":"log"},{"path":"bundle/logs/variant_reproduction_steps.log","filename":"variant_reproduction_steps.log","size":1956,"category":"log"},{"path":"bundle/logs/dele_variant_test.log","filename":"dele_variant_test.log","size":3666,"category":"log"},{"path":"bundle/coding/verify_env/ftp-root/public/file_renamed.txt","filename":"file_renamed.txt","size":15,"category":"other"},{"path":"bundle/coding/verify_env/ftp-root/protected/secret.txt","filename":"secret.txt","size":17,"category":"other"},{"path":"bundle/coding/verify_env/ftp-root/protected/secret2.txt","filename":"secret2.txt","size":18,"category":"other"},{"path":"bundle/coding/verify_env/proftpd.group","filename":"proftpd.group","size":26,"category":"other"},{"path":"bundle/coding/verify_env/proftpd.conf","filename":"proftpd.conf","size":1084,"category":"other"},{"path":"bundle/coding/verify_env/proftpd.passwd","filename":"proftpd.passwd","size":234,"category":"other"},{"path":"bundle/coding/logs/proftpd_verify.log","filename":"proftpd_verify.log","size":3790,"category":"log"},{"path":"bundle/coding/logs/proftpd_build.log","filename":"proftpd_build.log","size":4639,"category":"log"},{"path":"bundle/coding/summary_report.md","filename":"summary_report.md","size":4812,"category":"documentation"},{"path":"bundle/coding/verify_fix.sh","filename":"verify_fix.sh","size":6815,"category":"other"}]}