=== Pinpoint CVE-2026-57947 webhook SSRF variant / bypass analysis === ROOT=/data/pruva/runs/37f6347b-a435-4fc6-8a66-89724db7070e/bundle REPO_DIR=/data/pruva/project-cache/59d9650b-ccde-4594-a94f-d429a95f09ba/repo VULNERABLE_REF=v3.1.0 FIXED_REF=f683a24b4f LATEST_REF=f59a5468ae141958a0bb9400da3e79ac0ad73dc2 /data/pruva/runs/37f6347b-a435-4fc6-8a66-89724db7070e/bundle/vuln_variant/artifacts/src/test/VariantBypassHarness.java:61: error: incompatible types: Map cannot be converted to Map Map dnsRecords = buildDnsRecords(); ^ /data/pruva/runs/37f6347b-a435-4fc6-8a66-89724db7070e/bundle/vuln_variant/artifacts/src/test/VariantBypassHarness.java:62: error: incompatible types: Map cannot be converted to Map WebhookDnsResolver resolver = new WebhookDnsResolver(new StaticDnsResolver(dnsRecords)); ^ Note: Some messages have been simplified; recompile with -Xdiags:verbose to get full output 2 errors === Pinpoint CVE-2026-57947 webhook SSRF variant / bypass analysis === ROOT=/data/pruva/runs/37f6347b-a435-4fc6-8a66-89724db7070e/bundle REPO_DIR=/data/pruva/project-cache/59d9650b-ccde-4594-a94f-d429a95f09ba/repo VULNERABLE_REF=v3.1.0 FIXED_REF=f683a24b4f LATEST_REF=f59a5468ae141958a0bb9400da3e79ac0ad73dc2 --- candidate comparison: vulnerable vs patched --- vulnerable=true reg=true send=BLOCKED(dns:127.0.0.1) | http://127.0.0.1/ vulnerable=true reg=true send=BLOCKED(dns:[::1]) | http://[::1]/ vulnerable=true reg=true send=BLOCKED(dns:169.254.169.254) | http://169.254.169.254/latest/meta-data vulnerable=true reg=true send=BLOCKED(dns:localhost) | http://localhost/ vulnerable=true reg=true send=BLOCKED(dns:2130706433) | http://2130706433/ vulnerable=true reg=true send=BLOCKED(dns:0177.0.0.1) | http://0177.0.0.1/ vulnerable=true reg=true send=BLOCKED(dns:0x7f000001) | http://0x7f000001/ vulnerable=true reg=true send=BLOCKED(syntax) | http://127.1/ vulnerable=true reg=true send=BLOCKED(syntax) | http://127.0.1/ vulnerable=true reg=true send=BLOCKED(syntax) | http://0x7f.0.0.1/ vulnerable=true reg=true send=BLOCKED(syntax) | http://0x7f.1/ vulnerable=true reg=true send=BLOCKED(dns:[0:0:0:0:0:0:0:1]) | http://[0:0:0:0:0:0:0:1]/ vulnerable=true reg=true send=BLOCKED(dns:[0000:0000:0000:0000:0000:0000:0000:0001]) | http://[0000:0000:0000:0000:0000:0000:0000:0001]/ vulnerable=true reg=true send=BLOCKED(dns:[::127.0.0.1]) | http://[::127.0.0.1]/ vulnerable=true reg=true send=BLOCKED(dns:[::0:127.0.0.1]) | http://[::0:127.0.0.1]/ vulnerable=true reg=true send=BLOCKED(dns:[0:0:0:0:0:ffff:127.0.0.1]) | http://[0:0:0:0:0:ffff:127.0.0.1]/ vulnerable=true reg=true send=BLOCKED(dns:[::ffff:0:127.0.0.1]) | http://[::ffff:0:127.0.0.1]/ vulnerable=true reg=true send=BLOCKED(dns:[::ffff:7f00:1]) | http://[::ffff:7f00:1]/ vulnerable=true reg=true send=BLOCKED(dns:[64:ff9b::7f00:1]) | http://[64:ff9b::7f00:1]/ vulnerable=true reg=true send=BLOCKED(dns:[64:ff9b::a9fe:a9fe]) | http://[64:ff9b::a9fe:a9fe]/ vulnerable=true reg=true send=BLOCKED(dns:[fe80::1%25lo0]) | http://[fe80::1%25lo0]/ vulnerable=true reg=true send=BLOCKED(dns:[::1%25lo0]) | http://[::1%25lo0]/ vulnerable=true reg=false send=BLOCKED(dns:Webhook host resolves to a non-public address. host=127.0.0.1.nip.io, address=127.0.0.1) | http://127.0.0.1.nip.io/ vulnerable=true reg=false send=BLOCKED(dns:Webhook host resolves to a non-public address. host=127-0-0-1.nip.io, address=127.0.0.1) | http://127-0-0-1.nip.io/ vulnerable=true reg=false send=BLOCKED(dns:Webhook host resolves to a non-public address. host=127.0.0.1.xip.io, address=127.0.0.1) | http://127.0.0.1.xip.io/ vulnerable=true reg=false send=BLOCKED(dns:Webhook host resolves to a non-public address. host=example.localhost.com, address=127.0.0.1) | http://example.localhost.com/ vulnerable=true reg=false send=BLOCKED(dns:Webhook host resolves to a non-public address. host=localhost.example.com, address=127.0.0.1) | http://localhost.example.com/ [TRUE BYPASS] vulnerable=true reg=false send=ALLOWED | http://8.8.8.8/ [TRUE BYPASS] vulnerable=true reg=false send=ALLOWED | http://example.com/ vulnerable=true reg=false send=BLOCKED(dns:[2606:4700:4700::1111]) | https://[2606:4700:4700::1111]/ --- summary --- Candidates accepted by vulnerable validator: 30 Candidates blocked by patched validator/DNS: 28 Candidates not blocked by patched code: 2 True bypasses (vulnerable accepts AND patched leaks): 2 RESULT: bypass confirmed --- vulnerable runtime check (optional): registering 127.0.0.1.nip.io against running 3.1.0 container --- Vulnerable 3.1.0 registration response for 127.0.0.1.nip.io: Vulnerable 3.1.0 did not accept the URL (already in patched state or auth issue). === Variant/bypass reproduced on fixed code === === Pinpoint CVE-2026-57947 webhook SSRF variant / bypass analysis === ROOT=/data/pruva/runs/37f6347b-a435-4fc6-8a66-89724db7070e/bundle REPO_DIR=/data/pruva/project-cache/59d9650b-ccde-4594-a94f-d429a95f09ba/repo VULNERABLE_REF=v3.1.0 FIXED_REF=f683a24b4f LATEST_REF=f59a5468ae141958a0bb9400da3e79ac0ad73dc2 --- private-target bypass candidates: vulnerable vs patched --- vulnerable=true reg=true send=BLOCKED(dns:127.0.0.1) | http://127.0.0.1/ vulnerable=true reg=true send=BLOCKED(dns:[::1]) | http://[::1]/ vulnerable=true reg=true send=BLOCKED(dns:169.254.169.254) | http://169.254.169.254/latest/meta-data vulnerable=true reg=true send=BLOCKED(dns:localhost) | http://localhost/ vulnerable=true reg=true send=BLOCKED(dns:2130706433) | http://2130706433/ vulnerable=true reg=true send=BLOCKED(dns:0177.0.0.1) | http://0177.0.0.1/ vulnerable=true reg=true send=BLOCKED(dns:0x7f000001) | http://0x7f000001/ vulnerable=true reg=true send=BLOCKED(syntax) | http://127.1/ vulnerable=true reg=true send=BLOCKED(syntax) | http://127.0.1/ vulnerable=true reg=true send=BLOCKED(syntax) | http://0x7f.0.0.1/ vulnerable=true reg=true send=BLOCKED(syntax) | http://0x7f.1/ vulnerable=true reg=true send=BLOCKED(dns:[0:0:0:0:0:0:0:1]) | http://[0:0:0:0:0:0:0:1]/ vulnerable=true reg=true send=BLOCKED(dns:[0000:0000:0000:0000:0000:0000:0000:0001]) | http://[0000:0000:0000:0000:0000:0000:0000:0001]/ vulnerable=true reg=true send=BLOCKED(dns:[::127.0.0.1]) | http://[::127.0.0.1]/ vulnerable=true reg=true send=BLOCKED(dns:[::0:127.0.0.1]) | http://[::0:127.0.0.1]/ vulnerable=true reg=true send=BLOCKED(dns:[0:0:0:0:0:ffff:127.0.0.1]) | http://[0:0:0:0:0:ffff:127.0.0.1]/ vulnerable=true reg=true send=BLOCKED(dns:[::ffff:0:127.0.0.1]) | http://[::ffff:0:127.0.0.1]/ vulnerable=true reg=true send=BLOCKED(dns:[::ffff:7f00:1]) | http://[::ffff:7f00:1]/ vulnerable=true reg=true send=BLOCKED(dns:[64:ff9b::7f00:1]) | http://[64:ff9b::7f00:1]/ vulnerable=true reg=true send=BLOCKED(dns:[64:ff9b::a9fe:a9fe]) | http://[64:ff9b::a9fe:a9fe]/ vulnerable=true reg=true send=BLOCKED(dns:[fe80::1%25lo0]) | http://[fe80::1%25lo0]/ vulnerable=true reg=true send=BLOCKED(dns:[::1%25lo0]) | http://[::1%25lo0]/ vulnerable=true reg=false send=BLOCKED(dns:Webhook host resolves to a non-public address. host=127.0.0.1.nip.io, address=127.0.0.1) | http://127.0.0.1.nip.io/ vulnerable=true reg=false send=BLOCKED(dns:Webhook host resolves to a non-public address. host=127-0-0-1.nip.io, address=127.0.0.1) | http://127-0-0-1.nip.io/ vulnerable=true reg=false send=BLOCKED(dns:Webhook host resolves to a non-public address. host=127.0.0.1.xip.io, address=127.0.0.1) | http://127.0.0.1.xip.io/ vulnerable=true reg=false send=BLOCKED(dns:Webhook host resolves to a non-public address. host=example.localhost.com, address=127.0.0.1) | http://example.localhost.com/ vulnerable=true reg=false send=BLOCKED(dns:Webhook host resolves to a non-public address. host=localhost.example.com, address=127.0.0.1) | http://localhost.example.com/ --- public-control URLs: should remain allowed --- vulnerable=true reg=false send=ALLOWED allowed=true | http://8.8.8.8/ vulnerable=true reg=false send=ALLOWED allowed=true | http://example.com/ vulnerable=true reg=false send=BLOCKED(dns:[2606:4700:4700::1111]) allowed=false | https://[2606:4700:4700::1111]/ --- summary --- Private target candidates: 27 accepted by vulnerable validator: 27 blocked by patched validator/DNS: 27 not blocked by patched code: 0 Public control URLs: 3 still allowed by patched code: 2 RESULT: patch overblocks public URLs (unexpected) === Pinpoint CVE-2026-57947 webhook SSRF variant / bypass analysis === ROOT=/data/pruva/runs/37f6347b-a435-4fc6-8a66-89724db7070e/bundle REPO_DIR=/data/pruva/project-cache/59d9650b-ccde-4594-a94f-d429a95f09ba/repo VULNERABLE_REF=v3.1.0 FIXED_REF=f683a24b4f LATEST_REF=f59a5468ae141958a0bb9400da3e79ac0ad73dc2 --- private-target bypass candidates: vulnerable vs patched --- vulnerable=true reg=true send=BLOCKED(dns:127.0.0.1) | http://127.0.0.1/ vulnerable=true reg=true send=BLOCKED(dns:[::1]) | http://[::1]/ vulnerable=true reg=true send=BLOCKED(dns:169.254.169.254) | http://169.254.169.254/latest/meta-data vulnerable=true reg=true send=BLOCKED(dns:localhost) | http://localhost/ vulnerable=true reg=true send=BLOCKED(dns:2130706433) | http://2130706433/ vulnerable=true reg=true send=BLOCKED(dns:0177.0.0.1) | http://0177.0.0.1/ vulnerable=true reg=true send=BLOCKED(dns:0x7f000001) | http://0x7f000001/ vulnerable=true reg=true send=BLOCKED(syntax) | http://127.1/ vulnerable=true reg=true send=BLOCKED(syntax) | http://127.0.1/ vulnerable=true reg=true send=BLOCKED(syntax) | http://0x7f.0.0.1/ vulnerable=true reg=true send=BLOCKED(syntax) | http://0x7f.1/ vulnerable=true reg=true send=BLOCKED(dns:[0:0:0:0:0:0:0:1]) | http://[0:0:0:0:0:0:0:1]/ vulnerable=true reg=true send=BLOCKED(dns:[0000:0000:0000:0000:0000:0000:0000:0001]) | http://[0000:0000:0000:0000:0000:0000:0000:0001]/ vulnerable=true reg=true send=BLOCKED(dns:[::127.0.0.1]) | http://[::127.0.0.1]/ vulnerable=true reg=true send=BLOCKED(dns:[::0:127.0.0.1]) | http://[::0:127.0.0.1]/ vulnerable=true reg=true send=BLOCKED(dns:[0:0:0:0:0:ffff:127.0.0.1]) | http://[0:0:0:0:0:ffff:127.0.0.1]/ vulnerable=true reg=true send=BLOCKED(dns:[::ffff:0:127.0.0.1]) | http://[::ffff:0:127.0.0.1]/ vulnerable=true reg=true send=BLOCKED(dns:[::ffff:7f00:1]) | http://[::ffff:7f00:1]/ vulnerable=true reg=true send=BLOCKED(dns:[64:ff9b::7f00:1]) | http://[64:ff9b::7f00:1]/ vulnerable=true reg=true send=BLOCKED(dns:[64:ff9b::a9fe:a9fe]) | http://[64:ff9b::a9fe:a9fe]/ vulnerable=true reg=true send=BLOCKED(dns:[fe80::1%25lo0]) | http://[fe80::1%25lo0]/ vulnerable=true reg=true send=BLOCKED(dns:[::1%25lo0]) | http://[::1%25lo0]/ vulnerable=true reg=false send=BLOCKED(dns:Webhook host resolves to a non-public address. host=127.0.0.1.nip.io, address=127.0.0.1) | http://127.0.0.1.nip.io/ vulnerable=true reg=false send=BLOCKED(dns:Webhook host resolves to a non-public address. host=127-0-0-1.nip.io, address=127.0.0.1) | http://127-0-0-1.nip.io/ vulnerable=true reg=false send=BLOCKED(dns:Webhook host resolves to a non-public address. host=127.0.0.1.xip.io, address=127.0.0.1) | http://127.0.0.1.xip.io/ vulnerable=true reg=false send=BLOCKED(dns:Webhook host resolves to a non-public address. host=example.localhost.com, address=127.0.0.1) | http://example.localhost.com/ vulnerable=true reg=false send=BLOCKED(dns:Webhook host resolves to a non-public address. host=localhost.example.com, address=127.0.0.1) | http://localhost.example.com/ --- public-control URLs: should remain allowed --- vulnerable=true reg=false send=ALLOWED allowed=true | http://8.8.8.8/ vulnerable=true reg=false send=ALLOWED allowed=true | http://example.com/ vulnerable=true reg=false send=ALLOWED allowed=true | https://[2606:4700:4700::1111]/ --- summary --- Private target candidates: 27 accepted by vulnerable validator: 27 blocked by patched validator/DNS: 27 not blocked by patched code: 0 Public control URLs: 3 still allowed by patched code: 3 RESULT: no bypass found; patch blocks all private-target variants === Pinpoint CVE-2026-57947 webhook SSRF variant / bypass analysis === ROOT=/data/pruva/runs/37f6347b-a435-4fc6-8a66-89724db7070e/bundle REPO_DIR=/data/pruva/project-cache/59d9650b-ccde-4594-a94f-d429a95f09ba/repo VULNERABLE_REF=v3.1.0 FIXED_REF=f683a24b4f LATEST_REF=f59a5468ae141958a0bb9400da3e79ac0ad73dc2 --- private-target bypass candidates: vulnerable vs patched --- vulnerable=true reg=true send=BLOCKED(dns:127.0.0.1) | http://127.0.0.1/ vulnerable=true reg=true send=BLOCKED(dns:[::1]) | http://[::1]/ vulnerable=true reg=true send=BLOCKED(dns:169.254.169.254) | http://169.254.169.254/latest/meta-data vulnerable=true reg=true send=BLOCKED(dns:localhost) | http://localhost/ vulnerable=true reg=true send=BLOCKED(dns:2130706433) | http://2130706433/ vulnerable=true reg=true send=BLOCKED(dns:0177.0.0.1) | http://0177.0.0.1/ vulnerable=true reg=true send=BLOCKED(dns:0x7f000001) | http://0x7f000001/ vulnerable=true reg=true send=BLOCKED(syntax) | http://127.1/ vulnerable=true reg=true send=BLOCKED(syntax) | http://127.0.1/ vulnerable=true reg=true send=BLOCKED(syntax) | http://0x7f.0.0.1/ vulnerable=true reg=true send=BLOCKED(syntax) | http://0x7f.1/ vulnerable=true reg=true send=BLOCKED(dns:[0:0:0:0:0:0:0:1]) | http://[0:0:0:0:0:0:0:1]/ vulnerable=true reg=true send=BLOCKED(dns:[0000:0000:0000:0000:0000:0000:0000:0001]) | http://[0000:0000:0000:0000:0000:0000:0000:0001]/ vulnerable=true reg=true send=BLOCKED(dns:[::127.0.0.1]) | http://[::127.0.0.1]/ vulnerable=true reg=true send=BLOCKED(dns:[::0:127.0.0.1]) | http://[::0:127.0.0.1]/ vulnerable=true reg=true send=BLOCKED(dns:[0:0:0:0:0:ffff:127.0.0.1]) | http://[0:0:0:0:0:ffff:127.0.0.1]/ vulnerable=true reg=true send=BLOCKED(dns:[::ffff:0:127.0.0.1]) | http://[::ffff:0:127.0.0.1]/ vulnerable=true reg=true send=BLOCKED(dns:[::ffff:7f00:1]) | http://[::ffff:7f00:1]/ vulnerable=true reg=true send=BLOCKED(dns:[64:ff9b::7f00:1]) | http://[64:ff9b::7f00:1]/ vulnerable=true reg=true send=BLOCKED(dns:[64:ff9b::a9fe:a9fe]) | http://[64:ff9b::a9fe:a9fe]/ vulnerable=true reg=true send=BLOCKED(dns:[fe80::1%25lo0]) | http://[fe80::1%25lo0]/ vulnerable=true reg=true send=BLOCKED(dns:[::1%25lo0]) | http://[::1%25lo0]/ vulnerable=true reg=false send=BLOCKED(dns:Webhook host resolves to a non-public address. host=127.0.0.1.nip.io, address=127.0.0.1) | http://127.0.0.1.nip.io/ vulnerable=true reg=false send=BLOCKED(dns:Webhook host resolves to a non-public address. host=127-0-0-1.nip.io, address=127.0.0.1) | http://127-0-0-1.nip.io/ vulnerable=true reg=false send=BLOCKED(dns:Webhook host resolves to a non-public address. host=127.0.0.1.xip.io, address=127.0.0.1) | http://127.0.0.1.xip.io/ vulnerable=true reg=false send=BLOCKED(dns:Webhook host resolves to a non-public address. host=example.localhost.com, address=127.0.0.1) | http://example.localhost.com/ vulnerable=true reg=false send=BLOCKED(dns:Webhook host resolves to a non-public address. host=localhost.example.com, address=127.0.0.1) | http://localhost.example.com/ --- public-control URLs: should remain allowed --- vulnerable=true reg=false send=ALLOWED allowed=true | http://8.8.8.8/ vulnerable=true reg=false send=ALLOWED allowed=true | http://example.com/ vulnerable=true reg=false send=ALLOWED allowed=true | https://[2606:4700:4700::1111]/ --- summary --- Private target candidates: 27 accepted by vulnerable validator: 27 blocked by patched validator/DNS: 27 not blocked by patched code: 0 Public control URLs: 3 still allowed by patched code: 3 RESULT: no bypass found; patch blocks all private-target variants === Pinpoint CVE-2026-57947 webhook SSRF variant / bypass analysis === ROOT=/data/pruva/runs/37f6347b-a435-4fc6-8a66-89724db7070e/bundle REPO_DIR=/data/pruva/project-cache/59d9650b-ccde-4594-a94f-d429a95f09ba/repo VULNERABLE_REF=v3.1.0 FIXED_REF=f683a24b4f LATEST_REF=f59a5468ae141958a0bb9400da3e79ac0ad73dc2 --- private-target bypass candidates: vulnerable vs patched --- vulnerable=true reg=true send=BLOCKED(dns:127.0.0.1) | http://127.0.0.1/ vulnerable=true reg=true send=BLOCKED(dns:[::1]) | http://[::1]/ vulnerable=true reg=true send=BLOCKED(dns:169.254.169.254) | http://169.254.169.254/latest/meta-data vulnerable=true reg=true send=BLOCKED(dns:localhost) | http://localhost/ vulnerable=true reg=true send=BLOCKED(dns:2130706433) | http://2130706433/ vulnerable=true reg=true send=BLOCKED(dns:0177.0.0.1) | http://0177.0.0.1/ vulnerable=true reg=true send=BLOCKED(dns:0x7f000001) | http://0x7f000001/ vulnerable=true reg=true send=BLOCKED(syntax) | http://127.1/ vulnerable=true reg=true send=BLOCKED(syntax) | http://127.0.1/ vulnerable=true reg=true send=BLOCKED(syntax) | http://0x7f.0.0.1/ vulnerable=true reg=true send=BLOCKED(syntax) | http://0x7f.1/ vulnerable=true reg=true send=BLOCKED(dns:[0:0:0:0:0:0:0:1]) | http://[0:0:0:0:0:0:0:1]/ vulnerable=true reg=true send=BLOCKED(dns:[0000:0000:0000:0000:0000:0000:0000:0001]) | http://[0000:0000:0000:0000:0000:0000:0000:0001]/ vulnerable=true reg=true send=BLOCKED(dns:[::127.0.0.1]) | http://[::127.0.0.1]/ vulnerable=true reg=true send=BLOCKED(dns:[::0:127.0.0.1]) | http://[::0:127.0.0.1]/ vulnerable=true reg=true send=BLOCKED(dns:[0:0:0:0:0:ffff:127.0.0.1]) | http://[0:0:0:0:0:ffff:127.0.0.1]/ vulnerable=true reg=true send=BLOCKED(dns:[::ffff:0:127.0.0.1]) | http://[::ffff:0:127.0.0.1]/ vulnerable=true reg=true send=BLOCKED(dns:[::ffff:7f00:1]) | http://[::ffff:7f00:1]/ vulnerable=true reg=true send=BLOCKED(dns:[64:ff9b::7f00:1]) | http://[64:ff9b::7f00:1]/ vulnerable=true reg=true send=BLOCKED(dns:[64:ff9b::a9fe:a9fe]) | http://[64:ff9b::a9fe:a9fe]/ vulnerable=true reg=true send=BLOCKED(dns:[fe80::1%25lo0]) | http://[fe80::1%25lo0]/ vulnerable=true reg=true send=BLOCKED(dns:[::1%25lo0]) | http://[::1%25lo0]/ vulnerable=true reg=false send=BLOCKED(dns:Webhook host resolves to a non-public address. host=127.0.0.1.nip.io, address=127.0.0.1) | http://127.0.0.1.nip.io/ vulnerable=true reg=false send=BLOCKED(dns:Webhook host resolves to a non-public address. host=127-0-0-1.nip.io, address=127.0.0.1) | http://127-0-0-1.nip.io/ vulnerable=true reg=false send=BLOCKED(dns:Webhook host resolves to a non-public address. host=127.0.0.1.xip.io, address=127.0.0.1) | http://127.0.0.1.xip.io/ vulnerable=true reg=false send=BLOCKED(dns:Webhook host resolves to a non-public address. host=example.localhost.com, address=127.0.0.1) | http://example.localhost.com/ vulnerable=true reg=false send=BLOCKED(dns:Webhook host resolves to a non-public address. host=localhost.example.com, address=127.0.0.1) | http://localhost.example.com/ --- public-control URLs: should remain allowed --- vulnerable=true reg=false send=ALLOWED allowed=true | http://8.8.8.8/ vulnerable=true reg=false send=ALLOWED allowed=true | http://example.com/ vulnerable=true reg=false send=ALLOWED allowed=true | https://[2606:4700:4700::1111]/ --- summary --- Private target candidates: 27 accepted by vulnerable validator: 27 blocked by patched validator/DNS: 27 not blocked by patched code: 0 Public control URLs: 3 still allowed by patched code: 3 RESULT: no bypass found; patch blocks all private-target variants