=== PHASE 1: Repository setup === [INFO] ROOT=/data/pruva/runs/bc1d60be-d7b6-4381-871c-499226292861/bundle [INFO] REPO_BASE=/data/pruva/project-cache/4c87a32e-fadd-4b44-8c92-d18fb2b10e7b/repo [INFO] VULN_REPO=/data/pruva/project-cache/4c87a32e-fadd-4b44-8c92-d18fb2b10e7b/repo-vuln [INFO] Vulnerable commit resolved: be1b52227e1ade9a3be9836391ade45eb1a26909 [INFO] Fixed commit resolved: 4018e7b0c39825a5647fb17fc5607d72fb4bc0ce [INFO] Patch hunk verified: vulnerable has /save-document startswith(os.getcwd()); fixed removes /save-document; both retain Feast static_artifacts startup loader. === PHASE 2: Python dependency setup === [SETUP] Vulnerable feature_server module path: /data/pruva/project-cache/4c87a32e-fadd-4b44-8c92-d18fb2b10e7b/repo-vuln/sdk/python/feast/feature_server.py [SETUP] Fixed feature_server module path: /data/pruva/project-cache/4c87a32e-fadd-4b44-8c92-d18fb2b10e7b/repo/sdk/python/feast/feature_server.py === PHASE 3: Create Feast feature repository and product deployment component === [SETUP] Created feature repo parquet data === PHASE 4: Runtime exploit and fixed negative controls === --- Vulnerable RCE attempt 1: unauthenticated write then Feast startup consumption --- [SERVER] Started PID=46230 log=/data/pruva/runs/bc1d60be-d7b6-4381-871c-499226292861/bundle/logs/vuln_attempt1_writer.log code_path=/data/pruva/project-cache/4c87a32e-fadd-4b44-8c92-d18fb2b10e7b/repo-vuln/sdk/python repo_path=/data/pruva/runs/bc1d60be-d7b6-4381-871c-499226292861/bundle/artifacts/feature_repo cwd=/ [SERVER] Health check passed for PID=46230 [EXPLOIT] Sending unauthenticated POST /save-document for attempt 1 {"success":true,"saved_to":"/data/pruva/runs/bc1d60be-d7b6-4381-871c-499226292861/bundle/artifacts/feature_repo/static_artifacts-labels.json"} [EXPLOIT] Vulnerable endpoint wrote product-consumed config: /data/pruva/runs/bc1d60be-d7b6-4381-871c-499226292861/bundle/artifacts/feature_repo/static_artifacts-labels.json [SERVER] Started PID=46290 log=/data/pruva/runs/bc1d60be-d7b6-4381-871c-499226292861/bundle/logs/vuln_attempt1_consumer.log code_path=/data/pruva/project-cache/4c87a32e-fadd-4b44-8c92-d18fb2b10e7b/repo-vuln/sdk/python repo_path=/data/pruva/runs/bc1d60be-d7b6-4381-871c-499226292861/bundle/artifacts/feature_repo cwd=/ [SERVER] Health check passed for PID=46290 [RCE] Product-startup code execution marker for attempt 1: FEAST_STATIC_ARTIFACT_RCE attempt=1 id: cannot find name for group ID 969 uid=1000(vscode) gid=1000(vscode) groups=1000(vscode),969(969) / executed_by=Feast feature_server load_static_artifacts --- Vulnerable RCE attempt 2: unauthenticated write then Feast startup consumption --- [SERVER] Started PID=46357 log=/data/pruva/runs/bc1d60be-d7b6-4381-871c-499226292861/bundle/logs/vuln_attempt2_writer.log code_path=/data/pruva/project-cache/4c87a32e-fadd-4b44-8c92-d18fb2b10e7b/repo-vuln/sdk/python repo_path=/data/pruva/runs/bc1d60be-d7b6-4381-871c-499226292861/bundle/artifacts/feature_repo cwd=/ [SERVER] Health check passed for PID=46357 [EXPLOIT] Sending unauthenticated POST /save-document for attempt 2 {"success":true,"saved_to":"/data/pruva/runs/bc1d60be-d7b6-4381-871c-499226292861/bundle/artifacts/feature_repo/static_artifacts-labels.json"} [EXPLOIT] Vulnerable endpoint wrote product-consumed config: /data/pruva/runs/bc1d60be-d7b6-4381-871c-499226292861/bundle/artifacts/feature_repo/static_artifacts-labels.json [SERVER] Started PID=46417 log=/data/pruva/runs/bc1d60be-d7b6-4381-871c-499226292861/bundle/logs/vuln_attempt2_consumer.log code_path=/data/pruva/project-cache/4c87a32e-fadd-4b44-8c92-d18fb2b10e7b/repo-vuln/sdk/python repo_path=/data/pruva/runs/bc1d60be-d7b6-4381-871c-499226292861/bundle/artifacts/feature_repo cwd=/ [SERVER] Health check passed for PID=46417 [RCE] Product-startup code execution marker for attempt 2: FEAST_STATIC_ARTIFACT_RCE attempt=2 id: cannot find name for group ID 969 uid=1000(vscode) gid=1000(vscode) groups=1000(vscode),969(969) / executed_by=Feast feature_server load_static_artifacts --- Additional path traversal/string-prefix arbitrary write proof --- [SERVER] Started PID=46489 log=/data/pruva/runs/bc1d60be-d7b6-4381-871c-499226292861/bundle/logs/vuln_dotdot_writer.log code_path=/data/pruva/project-cache/4c87a32e-fadd-4b44-8c92-d18fb2b10e7b/repo-vuln/sdk/python repo_path=/tmp/feast_exploit_repo cwd=/tmp/feast_exploit_repo [SERVER] Health check passed for PID=46489 {"success":true,"saved_to":"/tmp/feast_exploit_repo-evil/payload-labels.json"} [EXPLOIT] Dotdot/string-prefix bypass wrote outside cwd: /tmp/feast_exploit_repo-evil/payload-labels.json --- Fixed negative attempt 1: removed endpoint cannot write config or trigger hook --- [SERVER] Started PID=46549 log=/data/pruva/runs/bc1d60be-d7b6-4381-871c-499226292861/bundle/logs/fixed_attempt1_writer.log code_path=/data/pruva/project-cache/4c87a32e-fadd-4b44-8c92-d18fb2b10e7b/repo/sdk/python repo_path=/data/pruva/runs/bc1d60be-d7b6-4381-871c-499226292861/bundle/artifacts/feature_repo cwd=/ [SERVER] Health check passed for PID=46549 [FIXED] /save-document status for attempt 1: 404 [SERVER] Started PID=46613 log=/data/pruva/runs/bc1d60be-d7b6-4381-871c-499226292861/bundle/logs/fixed_attempt1_consumer.log code_path=/data/pruva/project-cache/4c87a32e-fadd-4b44-8c92-d18fb2b10e7b/repo/sdk/python repo_path=/data/pruva/runs/bc1d60be-d7b6-4381-871c-499226292861/bundle/artifacts/feature_repo cwd=/ [SERVER] Health check passed for PID=46613 [FIXED] Confirmed fixed attempt 1: 404 on write, no config file, no hook execution. --- Fixed negative attempt 2: removed endpoint cannot write config or trigger hook --- [SERVER] Started PID=46673 log=/data/pruva/runs/bc1d60be-d7b6-4381-871c-499226292861/bundle/logs/fixed_attempt2_writer.log code_path=/data/pruva/project-cache/4c87a32e-fadd-4b44-8c92-d18fb2b10e7b/repo/sdk/python repo_path=/data/pruva/runs/bc1d60be-d7b6-4381-871c-499226292861/bundle/artifacts/feature_repo cwd=/ [SERVER] Health check passed for PID=46673 [FIXED] /save-document status for attempt 2: 404 [SERVER] Started PID=46731 log=/data/pruva/runs/bc1d60be-d7b6-4381-871c-499226292861/bundle/logs/fixed_attempt2_consumer.log code_path=/data/pruva/project-cache/4c87a32e-fadd-4b44-8c92-d18fb2b10e7b/repo/sdk/python repo_path=/data/pruva/runs/bc1d60be-d7b6-4381-871c-499226292861/bundle/artifacts/feature_repo cwd=/ [SERVER] Health check passed for PID=46731 [FIXED] Confirmed fixed attempt 2: 404 on write, no config file, no hook execution. === REPRODUCTION COMPLETE === Vulnerability: CVE-2026-23537 Feast Feature Server /save-document arbitrary JSON file write to code execution Vulnerable commit: be1b52227e1ade9a3be9836391ade45eb1a26909 Fixed commit: 4018e7b0c39825a5647fb17fc5607d72fb4bc0ce Primary evidence: artifacts/rce_proof_vuln_attempt1.txt, artifacts/rce_proof_vuln_attempt2.txt, logs/vuln_attempt*_consumer.log Fixed negative evidence: artifacts/http/fixed_attempt1_save_status.txt, artifacts/http/fixed_attempt2_save_status.txt, logs/fixed_attempt*_consumer.log