=== CVE-2026-58166 real-product RCE reproduction: Sun Jul 5 15:04:20 UTC 2026 === PROJECT_CACHE_DIR=/data/pruva/project-cache/cb19670c-9322-4afb-8baf-ad6441138574 REPO=/data/pruva/project-cache/cb19670c-9322-4afb-8baf-ad6441138574/repo VENV=/data/pruva/project-cache/cb19670c-9322-4afb-8baf-ad6441138574/venv Installing product runtime dependencies (idempotent) ... VULN_COMMIT=a6a5cda5560053136897aa44301eacc6c48d8168 (= 4fd4da603801766b14ad8788649cfc1ad21f99a6^) FIXED_COMMIT=4fd4da603801766b14ad8788649cfc1ad21f99a6 ----- role=vuln attempt=1 commit=a6a5cda5560053136897aa44301eacc6c48d8168 port=57217 ----- vulnerable sanity OK: raw upload.filename is joined into temp_path server pid=156999 log=/data/pruva/runs/3283e9ad-873d-4160-b2a4-c262fdf0e854/bundle/logs/server_vuln_1.log health OK for vuln/1 { "role": "vuln", "attempt": 1, "upload_status": 200, "upload_response_name": "../../../../../../../../../../../../../../../../tmp/chatdev_cve58166_vuln_1_link.yaml", "upload_wrote_persistent_yaml": true, "workflow_run_status": 200, "code_execution_observed": true, "fixed_blocked_chain": false, "marker_content": "RCE_OK_FROM_CHATDEV_WORKFLOW role=vuln attempt=1\n" } ----- role=vuln attempt=2 commit=a6a5cda5560053136897aa44301eacc6c48d8168 port=37113 ----- vulnerable sanity OK: raw upload.filename is joined into temp_path server pid=157055 log=/data/pruva/runs/3283e9ad-873d-4160-b2a4-c262fdf0e854/bundle/logs/server_vuln_2.log health OK for vuln/2 { "role": "vuln", "attempt": 2, "upload_status": 200, "upload_response_name": "../../../../../../../../../../../../../../../../tmp/chatdev_cve58166_vuln_2_link.yaml", "upload_wrote_persistent_yaml": true, "workflow_run_status": 200, "code_execution_observed": true, "fixed_blocked_chain": false, "marker_content": "RCE_OK_FROM_CHATDEV_WORKFLOW role=vuln attempt=2\n" } ----- role=fixed attempt=1 commit=4fd4da603801766b14ad8788649cfc1ad21f99a6 port=32805 ----- fixed sanity OK: basename sanitization patch is present server pid=157110 log=/data/pruva/runs/3283e9ad-873d-4160-b2a4-c262fdf0e854/bundle/logs/server_fixed_1.log health OK for fixed/1 { "role": "fixed", "attempt": 1, "upload_status": 200, "upload_response_name": "chatdev_cve58166_fixed_1_link.yaml", "upload_wrote_persistent_yaml": false, "workflow_run_status": 404, "code_execution_observed": false, "fixed_blocked_chain": true, "marker_content": null } ----- role=fixed attempt=2 commit=4fd4da603801766b14ad8788649cfc1ad21f99a6 port=56581 ----- fixed sanity OK: basename sanitization patch is present server pid=157163 log=/data/pruva/runs/3283e9ad-873d-4160-b2a4-c262fdf0e854/bundle/logs/server_fixed_2.log health OK for fixed/2 { "role": "fixed", "attempt": 2, "upload_status": 200, "upload_response_name": "chatdev_cve58166_fixed_2_link.yaml", "upload_wrote_persistent_yaml": false, "workflow_run_status": 404, "code_execution_observed": false, "fixed_blocked_chain": true, "marker_content": null } { "vuln_attempts_code_execution": [ true, true ], "vuln_attempts_persistent_yaml_write": [ true, true ], "vuln_response_names": [ "../../../../../../../../../../../../../../../../tmp/chatdev_cve58166_vuln_1_link.yaml", "../../../../../../../../../../../../../../../../tmp/chatdev_cve58166_vuln_2_link.yaml" ], "vuln_marker_contents": [ "RCE_OK_FROM_CHATDEV_WORKFLOW role=vuln attempt=1\n", "RCE_OK_FROM_CHATDEV_WORKFLOW role=vuln attempt=2\n" ], "fixed_attempts_blocked_chain": [ true, true ], "fixed_response_names": [ "chatdev_cve58166_fixed_1_link.yaml", "chatdev_cve58166_fixed_2_link.yaml" ], "fixed_target_created": [ false, false ], "confirmed": true } CONFIRMED: real ChatDev product RCE chain reproduced on a6a5cda5560053136897aa44301eacc6c48d8168 and blocked by fixed commit 4fd4da603801766b14ad8788649cfc1ad21f99a6