[2026-07-02T17:28:57Z] Step 1: Creating test VSIX with HTML payload... Created testpub.testext-1.0.0.vsix (1952 bytes) [2026-07-02T17:28:58Z] VSIX created at /data/pruva/runs/ca30852c-9595-4b4b-b0b6-592b9e72d11a/testpub.testext-1.0.0.vsix [2026-07-02T17:28:58Z] Step 2: Creating application.yml... [2026-07-02T17:28:58Z] Step 3: Starting PostgreSQL on port 5434... 33f862312aba18eaa8717ca12d8935736b485c210279616cc9f07039f5f5d737 [2026-07-02T17:29:03Z] PostgreSQL started [2026-07-02T17:29:03Z] Building server v1.0.1... Note: switching to 'e92a1a7a448be08570cc4c4969717ed3e2260015'. You are in 'detached HEAD' state. You can look around, make experimental changes and commit them, and you can discard any commits you make in this state without impacting any branches by switching back to a branch. If you want to create a new branch to retain commits you create, you may do so (now or later) by using -c with the switch command. Example: git switch -c Or undo this operation with: git switch - Turn off this advice by setting config variable advice.detachedHead to false a29c7eb01716f6c161f1cda4c2eaf4f07d1e9295151415301368c597a36268bb [2026-07-02T17:30:14Z] Build v1.0.1 succeeded: /data/pruva/runs/ca30852c-9595-4b4b-b0b6-592b9e72d11a/logs/openvsx-server-v1.0.1.jar (185M) [2026-07-02T17:30:14Z] Building server v1.0.2... Note: switching to '9491f32a6d459a4d499c5028d37c0d0386771e9f'. You are in 'detached HEAD' state. You can look around, make experimental changes and commit them, and you can discard any commits you make in this state without impacting any branches by switching back to a branch. If you want to create a new branch to retain commits you create, you may do so (now or later) by using -c with the switch command. Example: git switch -c Or undo this operation with: git switch - Turn off this advice by setting config variable advice.detachedHead to false ca074f88ddfcabb2c69d2ae199fadc24a8565ffe0845e8a9ed39a4eefeffa149 [2026-07-02T17:31:29Z] Build v1.0.2 succeeded: /data/pruva/runs/ca30852c-9595-4b4b-b0b6-592b9e72d11a/logs/openvsx-server-v1.0.2.jar (186M) [2026-07-02T17:31:29Z] Testing vuln_v1.0.1... DROP SCHEMA CREATE SCHEMA GRANT GRANT 55d6b92667b74b3bc4551e8e69e1bb93536fd74d5bb236ab5b408d98ab0c0dcd [2026-07-02T17:31:35Z] Waiting for vuln_v1.0.1 server to start... [2026-07-02T17:31:57Z] Server vuln_v1.0.1 is healthy INSERT 0 1 INSERT 0 1 [2026-07-02T17:31:57Z] Namespace creation: {"success":"Created namespace testpub"} [2026-07-02T17:31:58Z] Publish result: testext 1.0.0 [2026-07-02T17:32:01Z] Requesting: http://localhost:8080/vscode/unpkg/testpub/testext/1.0.0/extension/payload.html [2026-07-02T17:32:01Z] === vuln_v1.0.1 Response Headers === HTTP/1.1 200 OK Date: Thu, 02 Jul 2026 17:32:01 GMT Vary: Origin Vary: Access-Control-Request-Method Vary: Access-Control-Request-Headers Content-Type: text/html Cache-Control: max-age=2592000, public X-Content-Type-Options: nosniff X-XSS-Protection: 0 X-Frame-Options: DENY Transfer-Encoding: chunked [2026-07-02T17:32:01Z] vuln_v1.0.1 - Content-Type: text/html [2026-07-02T17:32:01Z] vuln_v1.0.1 - Has CSP: 0 0 () [2026-07-02T17:32:01Z] vuln_v1.0.1 - Has Content-Disposition: 0 0 [2026-07-02T17:32:01Z] vuln_v1.0.1 - Response body size: 596 bytes [2026-07-02T17:32:04Z] Testing fixed_v1.0.2... NOTICE: drop cascades to 55 other objects DETAIL: drop cascades to table flyway_schema_history drop cascades to table extension drop cascades to table extension_review drop cascades to table extension_version drop cascades to sequence hibernate_sequence drop cascades to table namespace drop cascades to table namespace_membership drop cascades to table personal_access_token drop cascades to table spring_session drop cascades to table spring_session_attributes drop cascades to table user_data drop cascades to table persisted_log drop cascades to table file_resource drop cascades to table admin_statistics drop cascades to table admin_statistics_publishers_by_extensions_published drop cascades to table admin_statistics_extensions_by_rating drop cascades to table admin_statistics_top_most_active_publishing_users drop cascades to table admin_statistics_top_namespace_extensions drop cascades to table admin_statistics_top_namespace_extension_versions drop cascades to table admin_statistics_top_most_downloaded_extensions drop cascades to table migration_item drop cascades to table namespace_social_links drop cascades to table signature_key_pair drop cascades to table download_count_processed_item drop cascades to extension fuzzystrmatch drop cascades to sequence extension_scan_seq drop cascades to sequence extension_validation_failure_seq drop cascades to sequence extension_threat_seq drop cascades to sequence admin_scan_decision_seq drop cascades to sequence file_decision_seq drop cascades to table extension_scan drop cascades to table extension_validation_failure drop cascades to table extension_threat drop cascades to table admin_scan_decision drop cascades to table file_decision drop cascades to table scan_job drop cascades to sequence scan_check_result_seq drop cascades to table scan_check_result drop cascades to table tier drop cascades to table customer drop cascades to table usage_stats drop cascades to sequence customer_membership_seq drop cascades to table customer_membership drop cascades to sequence rate_limit_token_seq drop cascades to table rate_limit_token drop cascades to sequence daily_usage_stats_seq drop cascades to table daily_usage_stats drop cascades to sequence setting_seq drop cascades to table setting drop cascades to table jobrunr_migrations drop cascades to table jobrunr_jobs drop cascades to table jobrunr_recurring_jobs drop cascades to table jobrunr_backgroundjobservers drop cascades to table jobrunr_metadata drop cascades to view jobrunr_jobs_stats DROP SCHEMA CREATE SCHEMA GRANT GRANT b5d27a0f0723a4bd33e42c14b37c682835bf63bce19799ef30a8f79ca7cbaaf1 [2026-07-02T17:32:10Z] Waiting for fixed_v1.0.2 server to start... [2026-07-02T17:32:31Z] Server fixed_v1.0.2 is healthy INSERT 0 1 INSERT 0 1 [2026-07-02T17:32:32Z] Namespace creation: {"success":"Created namespace testpub"} [2026-07-02T17:32:33Z] Publish result: testext 1.0.0 [2026-07-02T17:32:36Z] Requesting: http://localhost:8080/vscode/unpkg/testpub/testext/1.0.0/extension/payload.html [2026-07-02T17:32:36Z] === fixed_v1.0.2 Response Headers === HTTP/1.1 200 OK Date: Thu, 02 Jul 2026 17:32:36 GMT Vary: Origin Vary: Access-Control-Request-Method Vary: Access-Control-Request-Headers Content-Type: text/plain;charset=utf-8 X-Content-Type-Options: nosniff X-Frame-Options: DENY Cache-Control: max-age=86400, must-revalidate, public Content-Security-Policy: default-src 'none'; base-uri 'none'; form-action 'none'; frame-ancestors 'none'; sandbox X-XSS-Protection: 0 Transfer-Encoding: chunked [2026-07-02T17:32:36Z] fixed_v1.0.2 - Content-Type: text/plain;charset=utf-8 [2026-07-02T17:32:36Z] fixed_v1.0.2 - Has CSP: 1 (default-src 'none'; base-uri 'none'; form-action 'none'; frame-ancestors 'none'; sandbox) [2026-07-02T17:32:36Z] fixed_v1.0.2 - Has Content-Disposition: 0 0 [2026-07-02T17:32:36Z] fixed_v1.0.2 - Response body size: 596 bytes [2026-07-02T17:32:39Z] Step 8: Analyzing results... [2026-07-02T17:32:39Z] Cleaning up Docker containers... [2026-07-02T17:33:53Z] Step 1: Creating test VSIX with HTML payload... Created testpub.testext-1.0.0.vsix (1952 bytes) [2026-07-02T17:33:53Z] VSIX created at /data/pruva/runs/ca30852c-9595-4b4b-b0b6-592b9e72d11a/testpub.testext-1.0.0.vsix [2026-07-02T17:33:53Z] Step 2: Creating application.yml... [2026-07-02T17:33:53Z] Application config created [2026-07-02T17:33:53Z] Step 3: Starting PostgreSQL on port 5434... a2958370f35dd8de8c7b001d04e3a46d59d0ab344f6270028a6cd34a1ac418bc [2026-07-02T17:33:58Z] PostgreSQL started [2026-07-02T17:33:58Z] Building server v1.0.1... Note: switching to 'e92a1a7a448be08570cc4c4969717ed3e2260015'. You are in 'detached HEAD' state. You can look around, make experimental changes and commit them, and you can discard any commits you make in this state without impacting any branches by switching back to a branch. If you want to create a new branch to retain commits you create, you may do so (now or later) by using -c with the switch command. Example: git switch -c Or undo this operation with: git switch - Turn off this advice by setting config variable advice.detachedHead to false a1ef61a0a42bbfcdc2245e96cc12e9bc80cc24a69e93f38892e196454f9bee9a [2026-07-02T17:35:06Z] Build v1.0.1 succeeded: /data/pruva/runs/ca30852c-9595-4b4b-b0b6-592b9e72d11a/logs/openvsx-server-v1.0.1.jar (185M) [2026-07-02T17:35:06Z] Building server v1.0.2... Note: switching to '9491f32a6d459a4d499c5028d37c0d0386771e9f'. You are in 'detached HEAD' state. You can look around, make experimental changes and commit them, and you can discard any commits you make in this state without impacting any branches by switching back to a branch. If you want to create a new branch to retain commits you create, you may do so (now or later) by using -c with the switch command. Example: git switch -c Or undo this operation with: git switch - Turn off this advice by setting config variable advice.detachedHead to false d2f11143b6c06344e12bc0f962e348d0caaaf809df4a9b4ec29f74c01834beae [2026-07-02T17:36:18Z] Build v1.0.2 succeeded: /data/pruva/runs/ca30852c-9595-4b4b-b0b6-592b9e72d11a/logs/openvsx-server-v1.0.2.jar (186M) [2026-07-02T17:36:18Z] Testing vuln_v1.0.1... DROP SCHEMA CREATE SCHEMA GRANT GRANT f05c96f0358076979d894fc280b9be2c0ce1d3498148d7a2d23b58263baad093 [2026-07-02T17:36:24Z] Waiting for vuln_v1.0.1 server to start... [2026-07-02T17:36:46Z] Server vuln_v1.0.1 is healthy INSERT 0 1 INSERT 0 1 [2026-07-02T17:36:46Z] Namespace creation: {"success":"Created namespace testpub"} [2026-07-02T17:36:48Z] Publish result: testext 1.0.0 [2026-07-02T17:36:51Z] Requesting: http://localhost:8080/vscode/unpkg/testpub/testext/1.0.0/extension/payload.html [2026-07-02T17:36:51Z] === vuln_v1.0.1 Response Headers === HTTP/1.1 200 OK Date: Thu, 02 Jul 2026 17:36:51 GMT Vary: Origin Vary: Access-Control-Request-Method Vary: Access-Control-Request-Headers Content-Type: text/html Cache-Control: max-age=2592000, public X-Content-Type-Options: nosniff X-XSS-Protection: 0 X-Frame-Options: DENY Transfer-Encoding: chunked Content-Type: text/html Has CSP: 0 () Has Content-Disposition: 0 [2026-07-02T17:36:51Z] vuln_v1.0.1 - Response body size: 596 bytes [2026-07-02T17:36:53Z] Testing fixed_v1.0.2... NOTICE: drop cascades to 55 other objects DETAIL: drop cascades to table flyway_schema_history drop cascades to table extension drop cascades to table extension_review drop cascades to table extension_version drop cascades to sequence hibernate_sequence drop cascades to table namespace drop cascades to table namespace_membership drop cascades to table personal_access_token drop cascades to table spring_session drop cascades to table spring_session_attributes drop cascades to table user_data drop cascades to table persisted_log drop cascades to table file_resource drop cascades to table admin_statistics drop cascades to table admin_statistics_publishers_by_extensions_published drop cascades to table admin_statistics_extensions_by_rating drop cascades to table admin_statistics_top_most_active_publishing_users drop cascades to table admin_statistics_top_namespace_extensions drop cascades to table admin_statistics_top_namespace_extension_versions drop cascades to table admin_statistics_top_most_downloaded_extensions drop cascades to table migration_item drop cascades to table namespace_social_links drop cascades to table signature_key_pair drop cascades to table download_count_processed_item drop cascades to extension fuzzystrmatch drop cascades to sequence extension_scan_seq drop cascades to sequence extension_validation_failure_seq drop cascades to sequence extension_threat_seq drop cascades to sequence admin_scan_decision_seq drop cascades to sequence file_decision_seq drop cascades to table extension_scan drop cascades to table extension_validation_failure drop cascades to table extension_threat drop cascades to table admin_scan_decision drop cascades to table file_decision drop cascades to table scan_job drop cascades to sequence scan_check_result_seq drop cascades to table scan_check_result drop cascades to table tier drop cascades to table customer drop cascades to table usage_stats drop cascades to sequence customer_membership_seq drop cascades to table customer_membership drop cascades to sequence rate_limit_token_seq drop cascades to table rate_limit_token drop cascades to sequence daily_usage_stats_seq drop cascades to table daily_usage_stats drop cascades to sequence setting_seq drop cascades to table setting drop cascades to table jobrunr_migrations drop cascades to table jobrunr_jobs drop cascades to table jobrunr_recurring_jobs drop cascades to table jobrunr_backgroundjobservers drop cascades to table jobrunr_metadata drop cascades to view jobrunr_jobs_stats DROP SCHEMA CREATE SCHEMA GRANT GRANT 4dc640223f377820e70552cccb5bc6f43cbe7af306eda93842b301d5abce9f2b [2026-07-02T17:36:59Z] Waiting for fixed_v1.0.2 server to start... [2026-07-02T17:37:21Z] Server fixed_v1.0.2 is healthy INSERT 0 1 INSERT 0 1 [2026-07-02T17:37:22Z] Namespace creation: {"success":"Created namespace testpub"} [2026-07-02T17:37:22Z] Publish result: testext 1.0.0 [2026-07-02T17:37:25Z] Requesting: http://localhost:8080/vscode/unpkg/testpub/testext/1.0.0/extension/payload.html [2026-07-02T17:37:26Z] === fixed_v1.0.2 Response Headers === HTTP/1.1 200 OK Date: Thu, 02 Jul 2026 17:37:25 GMT Vary: Origin Vary: Access-Control-Request-Method Vary: Access-Control-Request-Headers Content-Type: text/plain;charset=utf-8 X-Content-Type-Options: nosniff X-Frame-Options: DENY Cache-Control: max-age=86400, must-revalidate, public Content-Security-Policy: default-src 'none'; base-uri 'none'; form-action 'none'; frame-ancestors 'none'; sandbox X-XSS-Protection: 0 Transfer-Encoding: chunked Content-Type: text/plain;charset=utf-8 Has CSP: 1 (default-src 'none'; base-uri 'none'; form-action 'none'; frame-ancestors 'none'; sandbox) Has Content-Disposition: 0 [2026-07-02T17:37:26Z] fixed_v1.0.2 - Response body size: 596 bytes [2026-07-02T17:37:28Z] Step 8: Analyzing results... [2026-07-02T17:37:28Z] === VULNERABLE (v1.0.1) === [2026-07-02T17:37:28Z] Content-Type: text/html [2026-07-02T17:37:28Z] Has CSP: 0 [2026-07-02T17:37:28Z] Has Content-Disposition: 0 [2026-07-02T17:37:28Z] [2026-07-02T17:37:28Z] === FIXED (v1.0.2) === [2026-07-02T17:37:28Z] Content-Type: text/plain;charset=utf-8 [2026-07-02T17:37:28Z] Has CSP: 1 [2026-07-02T17:37:28Z] [2026-07-02T17:37:28Z] Vulnerable serves text/html: true [2026-07-02T17:37:28Z] Vulnerable has no CSP: true [2026-07-02T17:37:28Z] Fixed serves text/plain with CSP: true [2026-07-02T17:37:28Z] *** VULNERABILITY CONFIRMED *** [2026-07-02T17:37:28Z] The /vscode/unpkg/ endpoint in v1.0.1 serves HTML files with Content-Type: text/html [2026-07-02T17:37:28Z] and no Content-Security-Policy header, enabling inline HTML rendering and JS execution. [2026-07-02T17:37:28Z] The fixed v1.0.2 serves the same file as text/plain with strict CSP. CVE-2026-13323 Reproduction Verdict ==================================== Vulnerable version: v1.0.1 Fixed version: v1.0.2 VULNERABLE (v1.0.1) headers for /vscode/unpkg/.../payload.html: Content-Type: text/html Content-Security-Policy: MISSING Content-Disposition: MISSING FIXED (v1.0.2) headers for /vscode/unpkg/.../payload.html: Content-Type: text/plain;charset=utf-8 Content-Security-Policy: present Vulnerability confirmed: true [2026-07-02T17:37:28Z] Step 9: Writing runtime manifest... [2026-07-02T17:37:28Z] Reproduction script complete. Confirmed: true [2026-07-02T17:37:28Z] Cleaning up Docker containers...