============================================================ CVE-2026-59092 VARIANT: debug agent pprof exposure (post-fix) ============================================================ Vulnerable commit: f60a90fc0ad52d2bb1f44f38a04d55044fc91d50 Fixed commit: a46979cdd4082217081ee99b931ddc53d038e47a VULN binary: /data/pruva/project-cache/7ad83e4b-d63b-4731-bc8c-ea459a1a8720/juicefs-vuln FIXED binary: /data/pruva/project-cache/7ad83e4b-d63b-4731-bc8c-ea459a1a8720/juicefs-fixed Redis started (auth OK). Volume formatted (or already exists). ============================================================ TEST 1: VULNERABLE version (f60a90fc0ad52d2bb1f44f38a04d55044fc91d50) ============================================================ Vulnerable gateway PID: 21886 (debug agent enabled, --no-agent NOT passed) Vulnerable gateway ready. [VULN] metrics port :9577/debug/pprof/cmdline -> HTTP 200 (expect 200 = original CVE surface) [VULN] debug agent on 127.0.0.1:6060 -> /debug/pprof/cmdline HTTP 200 [VULN] CONFIRMED: Redis password 's3cr3tPass' leaked via debug agent /debug/pprof/cmdline [VULN] debug agent credential leak: yes [f60a90fc0ad52d2bb1f44f38a04d55044fc91d50 debug agent cmdline args]: /data/pruva/project-cache/7ad83e4b-d63b-4731-bc8c-ea459a1a8720/juicefs-vuln gateway redis://:s3cr3tPass@127.0.0.1:6379/1 localhost:9100 --metrics 0.0.0.0:9577 --no-banner ============================================================ TEST 2: FIXED version (a46979cdd4082217081ee99b931ddc53d038e47a) ============================================================ Fixed gateway PID: 21942 (debug agent enabled, --no-agent NOT passed) Fixed gateway ready. [FIXED] metrics port :9578/debug/pprof/cmdline -> HTTP 404 (expect 404 = fix covers metrics surface) [FIXED] metrics port /metrics -> HTTP 200 (expect 200 = no regression) [FIXED] debug agent on 127.0.0.1:6060 -> /debug/pprof/cmdline HTTP 200 [FIXED] CONFIRMED: Redis password 's3cr3tPass' leaked via debug agent /debug/pprof/cmdline [FIXED] debug agent credential leak: yes [a46979cdd4082217081ee99b931ddc53d038e47a debug agent cmdline args]: /data/pruva/project-cache/7ad83e4b-d63b-4731-bc8c-ea459a1a8720/juicefs-fixed gateway redis://:s3cr3tPass@127.0.0.1:6379/1 localhost:9101 --metrics 0.0.0.0:9578 --no-bannerdebug agent reachability from non-loopback 172.20.0.11:6060 -> HTTP 000 [FIXED] loopback_only [FIXED] other pprof endpoints on debug agent 127.0.0.1:6060: /debug/pprof//: HTTP 301 /debug/pprof/heap: HTTP 200 /debug/pprof/goroutine: HTTP 200 /debug/pprof/profile: HTTP 000 /debug/pprof/allocs: HTTP 200 /debug/pprof/threadcreate: HTTP 200 /debug/pprof/block: HTTP 200 ============================================================ TEST 3: FIXED version WITH --no-agent (mitigation check) ============================================================ Fixed (--no-agent) gateway ready. [FIXED --no-agent] debug agent NOT listening on 127.0.0.1:6060-6099 (good: --no-agent disables it) ============================================================ VARIANT VERIFICATION SUMMARY ============================================================ VULN metrics pprof: HTTP 200 (original CVE surface) VULN debug agent leak: yes (port 6060) FIXED metrics pprof: HTTP 404 (fix covers metrics -> expect 404) FIXED metrics ok: HTTP 200 (no regression -> expect 200) FIXED debug agent leak:yes (port 6060) FIXED debug agent reach: loopback_only (expect loopback_only) FIXED --no-agent: disabled (expect disabled) RESULT: DISTINCT VARIANT CONFIRMED ON FIXED VERSION - The fix (commit a46979cdd4082217081ee99b931ddc53d038e47a) does NOT cover the debug agent. - cmd/main.go:336 still serves DefaultServeMux (nil handler) on 127.0.0.1:6060+. - /debug/pprof/cmdline STILL leaks metadata credentials on the FIXED binary. - Surface is localhost-only (not a remote bypass of the original CVE), but it is a local-hardening / fix-coverage gap (co-located user / SSRF). Runtime evidence written to /data/pruva/runs/86428366-e544-4ee6-9dcf-7f308530e020/bundle/vuln_variant/variant_runtime_result.json === Variant reproduced on FIXED version (fix-coverage gap) ===