[21:58:58] CVE-2026-59800 reproduction start: user=vscode uid=1000 work=/data/pruva/runs/3ea760f8-bc97-4c4a-bb13-39d93abcf770/bundle/artifacts/9router [21:58:58] Docker daemon unavailable; skipping Docker-root strategy [21:58:58] No direct root or passwordless real sudo; skipping direct-root strategy [21:58:58] === Strategy: controlled no-prompt sudo precondition === [21:58:58] Preparing npm packages 9router@0.4.39 and 9router@0.4.45 under /data/pruva/runs/3ea760f8-bc97-4c4a-bb13-39d93abcf770/bundle/artifacts/9router [21:59:00] [vuln_1] starting real 9router with PATH-local no-prompt sudo precondition [21:59:09] [vuln_1] HTTP 200; marker: PWNED_BY_9ROUTER_vuln_1 uid=1000(vscode) gid=1000(vscode) groups=1000(vscode) [21:59:10] [vuln_2] starting real 9router with PATH-local no-prompt sudo precondition [21:59:19] [vuln_2] HTTP 200; marker: PWNED_BY_9ROUTER_vuln_2 uid=1000(vscode) gid=1000(vscode) groups=1000(vscode) [21:59:20] [fixed_1] starting real 9router with PATH-local no-prompt sudo precondition [21:59:24] [fixed_1] HTTP 401; marker: [marker absent] [21:59:25] [fixed_2] starting real 9router with PATH-local no-prompt sudo precondition [21:59:29] [fixed_2] HTTP 401; marker: [marker absent] [21:59:29] No-prompt-sudo results: vuln_command_markers=2/2 fixed_401_no_marker=2/2 [21:59:29] --- vulnerable marker excerpt --- PWNED_BY_9ROUTER_vuln_1 uid=1000(vscode) gid=1000(vscode) groups=1000(vscode) [21:59:29] --- vulnerable response excerpt --- event: progress data: {"message":"Downloading install script..."} event: progress data: {"message":"Running install script..."} event: progress data: {"message":"Starting daemon..."} event: progress [21:59:29] --- fixed response excerpt --- {"error":"Unauthorized"}[21:59:29] Controlled no-prompt sudo strategy produced command-execution markers through the real HTTP endpoint. [21:59:29] RESULT: CONFIRMED - attacker-controlled command executed through unauthenticated POST /api/tunnel/tailscale-install; fixed build blocked the same request.