{
  "entrypoint_kind": "api_remote",
  "entrypoint_detail": "Original ChatDev server_main.py: unauthenticated /ws -> POST /api/uploads/{session_id} traversal upload -> POST /api/workflow/run executes uploaded Python workflow",
  "service_started": true,
  "healthcheck_passed": true,
  "target_path_reached": true,
  "runtime_stack": [
    "OpenBMB ChatDev server_main.py",
    "server.app:app with ALL_ROUTERS",
    "FastAPI/uvicorn/wsproto/python-multipart",
    "AttachmentService.save_upload_file",
    "runtime.sdk.run_workflow",
    "PythonNodeExecutor subprocess"
  ],
  "proof_artifacts": [
    "logs/reproduction_steps.log",
    "repro/eval_summary.json",
    "repro/real_product_rce_driver.py",
    "logs/server_vuln_1.log",
    "logs/driver_vuln_1.log",
    "repro/result_vuln_1.json",
    "logs/server_vuln_2.log",
    "logs/driver_vuln_2.log",
    "repro/result_vuln_2.json",
    "logs/server_fixed_1.log",
    "logs/driver_fixed_1.log",
    "repro/result_fixed_1.json",
    "logs/server_fixed_2.log",
    "logs/driver_fixed_2.log",
    "repro/result_fixed_2.json",
    "repro/rce_marker_vuln_1.txt",
    "repro/rce_marker_vuln_2.txt"
  ],
  "notes": "Two vulnerable original-product attempts wrote a malicious YAML through the unauthenticated traversal upload and then executed attacker-controlled Python through /api/workflow/run, creating bundle rce_marker files. Two fixed-commit attempts sanitized the filename, did not create the traversed YAML target, and did not create markers.",
  "confirmed": true,
  "vulnerable_code_execution_attempts": [
    true,
    true
  ],
  "fixed_blocked_attempts": [
    true,
    true
  ]
}