[2026-07-09T21:14:31+00:00] === CVE-2026-52831 Nuclio product-path reproduction === [2026-07-09T21:14:31+00:00] Root: /data/pruva/runs/dee90bab-260c-49da-b959-574bad8aee06/bundle [2026-07-09T21:14:31+00:00] Go version: go version go1.26.3 linux/amd64 [2026-07-09T21:14:31+00:00] Docker version: Docker version 29.1.3, build 29.1.3-0ubuntu4.1 [2026-07-09T21:14:31+00:00] Kind version: kind v0.27.0 go1.23.6 linux/amd64 [2026-07-09T21:14:31+00:00] Using repository path: /data/pruva/project-cache/7182044f-d4bd-4461-bb94-67cc221ed6fc/repo [2026-07-09T21:14:31+00:00] Resolved vulnerable commit: 82b9b64ee9bc0c7d99447b5890ef85973fee4e36 [2026-07-09T21:14:31+00:00] Resolved fixed commit: 3356b86a8bfab3f960aa420310ebff765df9dede [2026-07-09T21:14:31+00:00] Patch hunk verification succeeded: vulnerable uses /bin/sh -c, fixed uses exec-form curl [2026-07-09T21:14:31+00:00] Building Nuclio controller for vulnerable at 82b9b64ee9bc0c7d99447b5890ef85973fee4e36 /data/pruva/runs/dee90bab-260c-49da-b959-574bad8aee06/bundle/artifacts/nuclio-cve-2026-52831/controller-vulnerable: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, Go BuildID=cjmH4z_3BSFLzaI0gFFt/ADiyOpKle4aIA5vk6O7O/o7CzuewMrKsKbFkGZ3lZ/E4z9k0jRwntmpVq5XNAC, BuildID[sha1]=b825b7dd239452a1fefb209ebf906140edff189f, with debug_info, not stripped [2026-07-09T21:14:31+00:00] Building Nuclio controller for fixed at 3356b86a8bfab3f960aa420310ebff765df9dede /data/pruva/runs/dee90bab-260c-49da-b959-574bad8aee06/bundle/artifacts/nuclio-cve-2026-52831/controller-fixed: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, Go BuildID=uT2fepQm9DyTTeQldV2b/j_UUdMNYpO6m87shb5Lt/o7CzuewMrKsKbFkGZ3lZ/g4z2E1ozHRgbdDy8UFpw, BuildID[sha1]=8c22cee6b86d28c97ed66d3e082d1b93dffaba93, with debug_info, not stripped [2026-07-09T21:14:32+00:00] --- Running vulnerable product-path attempt 1 on cluster pruva-nuclio-cve52831-vulnerable-1 --- [2026-07-09T21:14:32+00:00] Creating kind cluster pruva-nuclio-cve52831-vulnerable-1 with image f226345927d7 [2026-07-09T21:15:02+00:00] Loading curlimages/curl:8.11.1 and busybox:latest into kind node containerd NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME pruva-nuclio-cve52831-vulnerable-1-control-plane Ready control-plane 25s v1.32.2 172.21.0.3 Debian GNU/Linux 12 (bookworm) 7.0.14-arch1-1 containerd://2.0.2 customresourcedefinition.apiextensions.k8s.io/nucliofunctions.nuclio.io created customresourcedefinition.apiextensions.k8s.io/nuclioprojects.nuclio.io created customresourcedefinition.apiextensions.k8s.io/nucliofunctionevents.nuclio.io created customresourcedefinition.apiextensions.k8s.io/nuclioapigateways.nuclio.io created nuclioproject.nuclio.io/cve-project created deployment.apps/stub-target created nucliofunction.nuclio.io/vulncron created [2026-07-09T21:15:15+00:00] vulnerable attempt 1: controller generated CronJob nuclio-cron-job-d980uof180khnc4ueqk0 job.batch/manual-vulnerable-1 created [2026-07-09T21:15:19+00:00] vulnerable attempt 1 pod log follows: uid=100(curl_user) gid=101(curl_group) groups=101(curl_group) curl: (2) no URL specified curl: try 'curl --help' or 'curl --manual' for more information CVE_PRODUCT_RCE uid=100(curl_user) gid=101(curl_group) groups=101(curl_group) : marker --header X-Nuclio-Invoke-Trigger: cron --header X-Nuclio-Target: vulncron nuclio-vulncron.nuclio-cve.svc.cluster.local:8080 --retry 10 --retry-delay 1 --retry-max-time 10 --retry-connrefused --data @/tmp/eventbody.out [2026-07-09T21:15:19+00:00] vulnerable attempt 1 confirmed shell command execution in a real CronJob pod [2026-07-09T21:15:19+00:00] Deleting cluster pruva-nuclio-cve52831-vulnerable-1 after completed vulnerable attempt 1 [2026-07-09T21:15:20+00:00] --- Running vulnerable product-path attempt 2 on cluster pruva-nuclio-cve52831-vulnerable-2 --- [2026-07-09T21:15:20+00:00] Creating kind cluster pruva-nuclio-cve52831-vulnerable-2 with image f226345927d7 [2026-07-09T21:15:51+00:00] Loading curlimages/curl:8.11.1 and busybox:latest into kind node containerd NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME pruva-nuclio-cve52831-vulnerable-2-control-plane Ready control-plane 26s v1.32.2 172.21.0.3 Debian GNU/Linux 12 (bookworm) 7.0.14-arch1-1 containerd://2.0.2 customresourcedefinition.apiextensions.k8s.io/nucliofunctions.nuclio.io created customresourcedefinition.apiextensions.k8s.io/nuclioprojects.nuclio.io created customresourcedefinition.apiextensions.k8s.io/nucliofunctionevents.nuclio.io created customresourcedefinition.apiextensions.k8s.io/nuclioapigateways.nuclio.io created nuclioproject.nuclio.io/cve-project created deployment.apps/stub-target created nucliofunction.nuclio.io/vulncron created [2026-07-09T21:16:02+00:00] vulnerable attempt 2: controller generated CronJob nuclio-cron-job-d980v4nskr2ho9lc2tfg job.batch/manual-vulnerable-2 created [2026-07-09T21:16:06+00:00] vulnerable attempt 2 pod log follows: uid=100(curl_user) gid=101(curl_group) groups=101(curl_group) curl: (2) no URL specified curl: try 'curl --help' or 'curl --manual' for more information CVE_PRODUCT_RCE uid=100(curl_user) gid=101(curl_group) groups=101(curl_group) : marker --header X-Nuclio-Invoke-Trigger: cron --header X-Nuclio-Target: vulncron nuclio-vulncron.nuclio-cve.svc.cluster.local:8080 --retry 10 --retry-delay 1 --retry-max-time 10 --retry-connrefused --data @/tmp/eventbody.out [2026-07-09T21:16:06+00:00] vulnerable attempt 2 confirmed shell command execution in a real CronJob pod [2026-07-09T21:16:06+00:00] Deleting cluster pruva-nuclio-cve52831-vulnerable-2 after completed vulnerable attempt 2 [2026-07-09T21:16:07+00:00] --- Running fixed product-path attempt 1 on cluster pruva-nuclio-cve52831-fixed-1 --- [2026-07-09T21:16:07+00:00] Creating kind cluster pruva-nuclio-cve52831-fixed-1 with image f226345927d7 [2026-07-09T21:16:36+00:00] Loading curlimages/curl:8.11.1 and busybox:latest into kind node containerd NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME pruva-nuclio-cve52831-fixed-1-control-plane Ready control-plane 24s v1.32.2 172.21.0.3 Debian GNU/Linux 12 (bookworm) 7.0.14-arch1-1 containerd://2.0.2 customresourcedefinition.apiextensions.k8s.io/nucliofunctions.nuclio.io created customresourcedefinition.apiextensions.k8s.io/nuclioprojects.nuclio.io created customresourcedefinition.apiextensions.k8s.io/nucliofunctionevents.nuclio.io created customresourcedefinition.apiextensions.k8s.io/nuclioapigateways.nuclio.io created nuclioproject.nuclio.io/cve-project created deployment.apps/stub-target created nucliofunction.nuclio.io/vulncron created [2026-07-09T21:16:47+00:00] fixed attempt 1: controller generated CronJob nuclio-cron-job-d980vfsr693hkh3lpjq0 job.batch/manual-fixed-1 created [2026-07-09T21:16:51+00:00] fixed attempt 1 pod log follows: ok[2026-07-09T21:16:51+00:00] fixed attempt 1 negative control passed: exec-form curl and no marker execution [2026-07-09T21:16:51+00:00] Deleting cluster pruva-nuclio-cve52831-fixed-1 after completed fixed attempt 1 [2026-07-09T21:16:52+00:00] --- Running fixed product-path attempt 2 on cluster pruva-nuclio-cve52831-fixed-2 --- [2026-07-09T21:16:52+00:00] Creating kind cluster pruva-nuclio-cve52831-fixed-2 with image f226345927d7 [2026-07-09T21:17:22+00:00] Loading curlimages/curl:8.11.1 and busybox:latest into kind node containerd NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME pruva-nuclio-cve52831-fixed-2-control-plane Ready control-plane 25s v1.32.2 172.21.0.3 Debian GNU/Linux 12 (bookworm) 7.0.14-arch1-1 containerd://2.0.2 customresourcedefinition.apiextensions.k8s.io/nucliofunctions.nuclio.io created customresourcedefinition.apiextensions.k8s.io/nuclioprojects.nuclio.io created customresourcedefinition.apiextensions.k8s.io/nucliofunctionevents.nuclio.io created customresourcedefinition.apiextensions.k8s.io/nuclioapigateways.nuclio.io created nuclioproject.nuclio.io/cve-project created deployment.apps/stub-target created nucliofunction.nuclio.io/vulncron created [2026-07-09T21:17:33+00:00] fixed attempt 2: controller generated CronJob nuclio-cron-job-d980vr97armhmg0ea4k0 job.batch/manual-fixed-2 created [2026-07-09T21:17:37+00:00] fixed attempt 2 pod log follows: ok[2026-07-09T21:17:37+00:00] fixed attempt 2 negative control passed: exec-form curl and no marker execution [2026-07-09T21:17:37+00:00] Deleting cluster pruva-nuclio-cve52831-fixed-2 after completed fixed attempt 2 [2026-07-09T21:17:38+00:00] === Product-path reproduction completed successfully === [2026-07-09T21:17:38+00:00] Cleaning up kind cluster pruva-nuclio-cve52831-vulnerable-1 Deleting cluster "pruva-nuclio-cve52831-vulnerable-1" ... [2026-07-09T21:17:38+00:00] Cleaning up kind cluster pruva-nuclio-cve52831-vulnerable-2 Deleting cluster "pruva-nuclio-cve52831-vulnerable-2" ... [2026-07-09T21:17:38+00:00] Cleaning up kind cluster pruva-nuclio-cve52831-fixed-1 Deleting cluster "pruva-nuclio-cve52831-fixed-1" ... [2026-07-09T21:17:38+00:00] Cleaning up kind cluster pruva-nuclio-cve52831-fixed-2 Deleting cluster "pruva-nuclio-cve52831-fixed-2" ...