[setup] ROOT=/data/pruva/runs/e5a52f60-b1de-4de3-9eb4-2296505f5ccc/bundle [setup] REPO=/data/pruva/project-cache/5fae45af-5219-4bcc-9a7d-83d7841ab66b/repo [setup] FIXED_RESOLVED=f074710a91ea9260a9ac2142345634579843a3cd [setup] VULN_RESOLVED=7845532f9d17f6f765363dbee82b01bd159fb52b [setup] ORIG_HEAD=f074710a91ea9260a9ac2142345634579843a3cd ----- [vuln] commit=7845532f9d17f6f765363dbee82b01bd159fb52b ----- [vuln] building workspace [vuln] running jest harness [vuln] marker log (/data/pruva/runs/e5a52f60-b1de-4de3-9eb4-2296505f5ccc/bundle/logs/vuln_variant_vuln.log): [CALLSITE_BYPASS]: getTLogTimestamp() returned a trusted timestamp (2025-12-14T02:05:09.000Z) for an entry whose inclusionPromise is FORGED (presence-check passes, SET not yet validated); integratedTime=1765677909 [BYPASS_OK]: Verifier.verify() (cert path) SUCCEEDED on a DECOUPLED SignedEntity (tlogEntries empty) whose sole timestamp is a tlog entry carrying a FORGED inclusionPromise + attacker integratedTime=1765677909; cert is EXPIRED now (notBefore=2025-12-14T02:04:39.000Z, notAfter=2025-12-14T02:14:39.000Z, now=2026-07-02T18:16:22.222Z); fix presence-check passed, SET never validated -> original CVE impact (expired-cert-accepted) reproduced on this version [BYPASS_OK]: Verifier.verify() (public-key path) SUCCEEDED on a DECOUPLED SignedEntity whose sole timestamp is a tlog entry with a FORGED inclusionPromise + attacker integratedTime=1763174679; timestampThreshold satisfied & key validity accepted on attacker-chosen, unvalidated time [NC_REJECT]: bundle-path (coupled) verify rejected a FORGED inclusionPromise with code=TLOG_INCLUSION_PROMISE_ERROR: inclusion promise could not be verified -> verifyTLogSET validated the SET and rejected (coupling protection holds on this version) [ORIG_OK]: original vector (inclusionProof-only, attacker integratedTime=1765677909) verify SUCCEEDED; cert EXPIRED now (notBefore=2025-12-14T02:04:39.000Z, notAfter=2025-12-14T02:14:39.000Z) -> original CVE reproduced on this version ----- [vuln] done ----- ----- [fixed] commit=f074710a91ea9260a9ac2142345634579843a3cd ----- [fixed] building workspace [fixed] running jest harness [fixed] marker log (/data/pruva/runs/e5a52f60-b1de-4de3-9eb4-2296505f5ccc/bundle/logs/vuln_variant_fixed.log): [CALLSITE_BYPASS]: getTLogTimestamp() returned a trusted timestamp (2025-12-14T02:05:09.000Z) for an entry whose inclusionPromise is FORGED (presence-check passes, SET not yet validated); integratedTime=1765677909 [BYPASS_OK]: Verifier.verify() (cert path) SUCCEEDED on a DECOUPLED SignedEntity (tlogEntries empty) whose sole timestamp is a tlog entry carrying a FORGED inclusionPromise + attacker integratedTime=1765677909; cert is EXPIRED now (notBefore=2025-12-14T02:04:39.000Z, notAfter=2025-12-14T02:14:39.000Z, now=2026-07-02T18:16:25.063Z); fix presence-check passed, SET never validated -> original CVE impact (expired-cert-accepted) reproduced on this version [BYPASS_OK]: Verifier.verify() (public-key path) SUCCEEDED on a DECOUPLED SignedEntity whose sole timestamp is a tlog entry with a FORGED inclusionPromise + attacker integratedTime=1763174679; timestampThreshold satisfied & key validity accepted on attacker-chosen, unvalidated time [NC_REJECT]: bundle-path (coupled) verify rejected a FORGED inclusionPromise with code=TLOG_INCLUSION_PROMISE_ERROR: inclusion promise could not be verified -> verifyTLogSET validated the SET and rejected (coupling protection holds on this version) [ORIG_REJECT]: original vector (inclusionProof-only) verify rejected with code=TIMESTAMP_ERROR: expected 1 timestamps, got 0 -> fix closes the original inclusionProof-only vector on this version ----- [fixed] done ----- [eval] fixed: BYPASS_OK=2 NC_REJECT=1 ORIG_REJECT=1 [eval] vuln: BYPASS_OK=2 NC_REJECT=1 ORIG_OK=1 [eval] BYPASS CONFIRMED: the forged-inclusionPromise decoupled SignedEntity reproduces (verify() succeeds, expired cert accepted) on the FIXED commit f074710a91ea9260a9ac2142345634579843a3cd. [manifest] wrote /data/pruva/runs/e5a52f60-b1de-4de3-9eb4-2296505f5ccc/bundle/vuln_variant/runtime_manifest.json [verdict] wrote /data/pruva/runs/e5a52f60-b1de-4de3-9eb4-2296505f5ccc/bundle/vuln_variant/validation_verdict.json [source_identity] wrote /data/pruva/runs/e5a52f60-b1de-4de3-9eb4-2296505f5ccc/bundle/vuln_variant/source_identity.json [root_cause_equivalence] wrote /data/pruva/runs/e5a52f60-b1de-4de3-9eb4-2296505f5ccc/bundle/vuln_variant/root_cause_equivalence.json [result] CVE-2026-48816 variant BYPASS reproduced on the fixed version (confirmed).