{
  "variant_id": "VT-CVE-2026-58169-testserver-host-allowlist",
  "created_at": "2026-07-05T08:30:00Z",
  "variant_summary": "Partial bypass of the v0.1.10 Host-validation fix (PR #242): the production loopback-Host allowlist _DEFAULT_LOOPBACK_HOSTS includes the non-loopback test hostname 'testserver', so a loopback peer with Host: testserver:<port> and no bearer token is auth-bypassed on the fixed v0.1.10 (POST /sessions -> 201). In the default config the PR #243 shell-tools opt-in blocks the BashTool RCE primitive; when the operator sets VIBE_TRADING_ENABLE_SHELL_TOOLS=1, the testserver Host bypass restores the full RCE chain on the fixed version (BashTool subprocess.run(shell=True) -> RCE_CONFIRMED). Not a standard DNS-rebinding-deliverable bypass (the attacker cannot make a victim browser send Host: testserver from an attacker-owned domain).",
  "relation": "newer_version_sibling",
  "origin_kind": "pruva_variant",
  "repository": "HKUDS/Vibe-Trading",
  "submitted_target": {
    "target_kind": "git_tag",
    "commit_sha": "8cebccb9b301f962d11bf0fa8c6be9bf7d7e12f2",
    "version": "0.1.9",
    "ref": "v0.1.9",
    "display": "HKUDS/Vibe-Trading v0.1.9 (vulnerable baseline)"
  },
  "variant_target": {
    "target_kind": "git_tag",
    "commit_sha": "54f944743efee7b9cbaaeafb5966c583d0d4ac66",
    "version": "0.1.10",
    "ref": "v0.1.10",
    "display": "HKUDS/Vibe-Trading v0.1.10 (fixed target under test)"
  },
  "same_root_cause_confidence": "high",
  "same_surface_confidence": "high",
  "claimed_surface": "dns_remote",
  "validated_surface": "http_api_loopback_host_testserver",
  "required_entrypoint_kind": "http_request",
  "required_entrypoint_detail": "Loopback peer HTTP request to POST /sessions (and POST /sessions/{id}/messages) carrying Host: testserver:<port> with no Authorization bearer token; delivered via curl --resolve testserver:<port>:127.0.0.1 (simulating a victim whose resolver maps testserver -> 127.0.0.1).",
  "attacker_controlled_input": "Host header value 'testserver' on a loopback TCP peer; agent-driving message content / poisoned LLM tool-call (mock LLM returns a bash tool-call). No bearer token supplied.",
  "trigger_path": "loopback peer -> _reject_untrusted_loopback_host: _is_local_client()=True AND _is_allowed_loopback_host('testserver')=True (allowlist gap) -> middleware passes -> require_auth/_validate_api_auth: _is_local_client()=True -> no auth -> POST /sessions (201) -> POST /sessions/{id}/messages -> _shell_tools_enabled_for_request()=True iff VIBE_TRADING_ENABLE_SHELL_TOOLS=1 -> BashTool subprocess.run(shell=True) -> RCE",
  "observed_impact_class": "auth_bypass_default__code_execution_opted_in",
  "exploitability_confidence": "medium",
  "evidence_scope": "production_path",
  "runtime_manifest_present": true,
  "end_to_end_target_reached": true,
  "end_to_end_scope": "conditional_full_bypass_on_fixed_opted_in_config",
  "standard_dns_rebinding_bypass_confirmed": false,
  "partial_bypass_confirmed": true,
  "inferred": false,
  "claim_block_reason": null,
  "blocking_mitigation": "PR #243 (VIBE_TRADING_ENABLE_SHELL_TOOLS opt-in, default off) blocks BashTool RCE in the default config; PR #242 correctly rejects attacker-domain Hosts. Residual gap: 'testserver' in _DEFAULT_LOOPBACK_HOSTS.",
  "file_path": "agent/api_server.py",
  "line_start": 483,
  "line_end": 490,
  "secondary_anchors": [
    {
      "file_path": "agent/api_server.py",
      "line_start": 562,
      "line_end": 569
    },
    {
      "file_path": "agent/api_server.py",
      "line_start": 844,
      "line_end": 852
    },
    {
      "file_path": "agent/src/tools/__init__.py",
      "line_start": 30,
      "line_end": 30
    },
    {
      "file_path": "agent/src/tools/bash_tool.py",
      "line_start": 1,
      "line_end": 60
    }
  ],
  "review_scope_paths": [
    "agent/api_server.py",
    "agent/src/tools/__init__.py",
    "agent/src/tools/bash_tool.py",
    "agent/src/tools/write_file_tool.py",
    "agent/src/tools/edit_file_tool.py",
    "SECURITY.md"
  ],
  "artifact_refs": {
    "variant_manifest": "bundle/vuln_variant/variant_manifest.json",
    "validation_verdict": "bundle/vuln_variant/validation_verdict.json",
    "runtime_manifest": "bundle/vuln_variant/runtime_manifest.json",
    "repro_log": "bundle/logs/vuln_variant/variant_steps.log",
    "root_cause_equivalence": "bundle/vuln_variant/root_cause_equivalence.json",
    "reproducer": [
      "bundle/vuln_variant/reproduction_steps.sh",
      "bundle/vuln_variant/mock_llm_server.py"
    ]
  }
}
