{
  "variant_id": "CVE-2026-59800-pruva-negative-variant-search-001",
  "created_at": "2026-07-07T22:09:00Z",
  "variant_summary": "No distinct bypass or alternate unauthenticated command-injection trigger was confirmed. The vulnerable control reached the original /api/tunnel/tailscale-install sudoPassword-to-sh sink, but path-normalization, adjacent tunnel daemon, and adjacent CLI-tools candidates did not create markers on the patched/latest target.",
  "relation": "newer_version_sibling",
  "origin_kind": "pruva_variant",
  "repository": "npm:9router",
  "submitted_target": {
    "target_kind": "npm_package",
    "version": "0.4.39",
    "display": "npm:9router@0.4.39"
  },
  "variant_target": {
    "target_kind": "npm_package",
    "version": "0.5.20",
    "ref": "npm dist-tag latest resolved during variant run",
    "display": "npm:9router@0.5.20"
  },
  "same_root_cause_confidence": "low",
  "same_surface_confidence": "medium",
  "claimed_surface": "api_remote",
  "validated_surface": "none_confirmed_on_fixed_latest",
  "required_entrypoint_kind": "endpoint",
  "required_entrypoint_detail": "Candidate unauthenticated POSTs to /api/tunnel/tailscale-install/, /api/tunnel/tailscale-start-daemon, and /api/cli-tools/antigravity-mitm",
  "attacker_controlled_input": "Unauthenticated HTTP path and JSON sudoPassword/apiKey/action fields in candidate requests",
  "trigger_path": "No confirmed variant trigger path; original vulnerable control remains POST /api/tunnel/tailscale-install -> install helper -> sudo -S sh stdin",
  "observed_impact_class": "none_confirmed",
  "exploitability_confidence": "low",
  "evidence_scope": "runtime_tested_vulnerable_and_fixed_latest_with_source_scan",
  "runtime_manifest_present": true,
  "end_to_end_target_reached": true,
  "inferred": false,
  "claim_block_reason": "patched/latest build blocks unauthenticated candidate requests or candidates do not reach shell-script stdin interpretation",
  "blocking_mitigation": "catch-all middleware matcher plus install-script temp-file execution instead of shell script from stdin",
  "file_path": "app/.next/server/chunks/3774.js",
  "line_start": 1,
  "line_end": 1,
  "secondary_anchors": [
    {
      "file_path": "app/.next/server/middleware.js",
      "line_start": 1,
      "line_end": 1
    },
    {
      "file_path": "app/.next-cli-build/server/middleware.js",
      "line_start": 1,
      "line_end": 1
    },
    {
      "file_path": "app/.next-cli-build/server/chunks/6457.js",
      "line_start": 1,
      "line_end": 1
    },
    {
      "file_path": "app/.next/server/app/api/tunnel/tailscale-start-daemon/route.js",
      "line_start": 1,
      "line_end": 1
    },
    {
      "file_path": "app/.next/server/app/api/cli-tools/antigravity-mitm/route.js",
      "line_start": 1,
      "line_end": 1
    }
  ],
  "review_scope_paths": [
    "app/.next/server/app/api/tunnel/*",
    "app/.next-cli-build/server/app/api/tunnel/*",
    "app/.next/server/app/api/cli-tools/*",
    "app/.next-cli-build/server/app/api/cli-tools/*",
    "app/.next/server/chunks/3774.js",
    "app/.next-cli-build/server/chunks/6457.js",
    "app/.next/server/middleware.js",
    "app/.next-cli-build/server/middleware.js"
  ],
  "artifact_refs": {
    "variant_manifest": "bundle/vuln_variant/variant_manifest.json",
    "validation_verdict": "bundle/vuln_variant/validation_verdict.json",
    "runtime_manifest": "bundle/vuln_variant/runtime_manifest.json",
    "repro_log": "bundle/logs/vuln_variant/reproduction_steps.log",
    "root_cause_equivalence": "bundle/vuln_variant/root_cause_equivalence.json",
    "reproducer": [
      "bundle/vuln_variant/reproduction_steps.sh"
    ],
    "patch_analysis": "bundle/vuln_variant/patch_analysis.md",
    "source_scan": "bundle/vuln_variant/source_scan_summary.json"
  }
}