{
  "repository": "https://github.com/decolua/9router",
  "commit_source": "git_rev_parse",
  "commit_sha": "9e87935c0e53f46d6ae04fbec656fc4d971547d7",
  "submitted_target": {
    "target_kind": "git_tag",
    "commit_sha": "cebc72e343dca5aad69b2828cb0d0f2e54b168d",
    "version": "0.4.41",
    "ref": "v0.4.41",
    "display": "decolua/9router @ v0.4.41 (cebc72e34) — parent CVE vulnerable target"
  },
  "variant_target": {
    "target_kind": "git_tag",
    "commit_sha": "9e87935c0e53f46d6ae04fbec656fc4d971547d7",
    "version": "0.4.44",
    "ref": "v0.4.44",
    "display": "decolua/9router @ v0.4.44 (9e87935c0) — JWT-secret fixed; bypass confirmed here"
  },
  "additional_tested_targets": [
    {
      "target_kind": "git_tag",
      "commit_sha": "515e2cc4300ace55650ae366414cd51ef3d675df",
      "version": "0.4.80",
      "ref": "v0.4.80",
      "display": "decolua/9router @ v0.4.80 (515e2cc43) — latest release; bypass of the UI-only 'remote default-password guard' confirmed here",
      "commit_source": "git_rev_parse",
      "discovery": "cloned via 'git clone --depth 1 --branch v0.4.80 https://github.com/decolua/9router.git'; HEAD = 515e2cc4300ace55650ae366414cd51ef3d675df"
    }
  ],
  "git_rev_parse_commands": {
    "vulnerable_v0.4.41": "git -C <cache>/repo rev-parse HEAD -> cebc72e343dca5aad69b2828cb0d0f2e54b168d",
    "fixed_v0.4.44": "git -C <cache>/repo-fixed rev-parse HEAD -> 9e87935c0e53f46d6ae04fbec656fc4d971547d7",
    "latest_v0.4.80": "git -C <cache>/repo-latest rev-parse HEAD -> 515e2cc4300ace55650ae366414cd51ef3d675df"
  },
  "build_identity": {
    "fixed_v0.4.44_next_BUILD_ID": "fXpt0hJaeV6L8Bj3rkgir",
    "latest_v0.4.80_next_BUILD_ID": "d3Dp_25EsmP0M0bRlCkd5",
    "runtime": "node v24.18.0, next start (Next.js 16.2.10), NODE_ENV=production, JWT_SECRET unset, DATA_DIR isolated per run"
  },
  "notes": "All three refs resolved by 'git rev-parse HEAD' on the shallow clones under the durable project cache dir. Reproduction was run three times (idempotent), all exit 0. The bypass is confirmed on the fixed target v0.4.44 (primary variant_target) and on the latest v0.4.80 (additional_tested_targets)."
}
