{
  "variant_id": "pruva-nuclio-cve-2026-52831-negative-001",
  "created_at": "2026-07-09T21:27:32Z",
  "variant_summary": "No fixed-version bypass or materially distinct same-root-cause variant was confirmed for Nuclio cron-trigger shell command injection. The fixed commit removes the shell sink from the centralized Kubernetes CronJob generation path and uses exec-form curl with --data-raw.",
  "relation": "newer_version_sibling",
  "origin_kind": "pruva_variant",
  "repository": "https://github.com/nuclio/nuclio",
  "submitted_target": {
    "target_kind": "git_commit_parent",
    "commit_sha": "82b9b64ee9bc0c7d99447b5890ef85973fee4e36",
    "ref": "3356b86a8bfa^",
    "display": "Nuclio vulnerable parent of fixed commit 3356b86a8bfa"
  },
  "variant_target": {
    "target_kind": "git_commit",
    "commit_sha": "3356b86a8bfab3f960aa420310ebff765df9dede",
    "ref": "3356b86a8bfa",
    "display": "Nuclio fixed commit [Security] Fix cron trigger shell injection (#4139)"
  },
  "same_root_cause_confidence": "high_for_attempted_candidates",
  "same_surface_confidence": "high_for_attempted_candidates",
  "claimed_surface": "Nuclio Kubernetes controller cron-trigger CronJob generation from NuclioFunction spec.triggers cron event.headers and event.body",
  "validated_surface": "No variant surface validated on the fixed commit; source inspection and probes show the fixed cron-trigger surface is covered.",
  "required_entrypoint_kind": "kubernetes_custom_resource",
  "required_entrypoint_detail": "Create or update a NuclioFunction CR with spec.triggers[*].kind=cron and malicious attributes.event headers/body.",
  "attacker_controlled_input": "Cron trigger attributes.event.headers keys/values and attributes.event.body in a NuclioFunction resource",
  "trigger_path": "NuclioFunction cron trigger -> createOrUpdateCronJobs -> createOrUpdateCronTriggerCronJobs -> generateCronTriggerCronJobSpec -> Kubernetes CronJob invocator container",
  "observed_impact_class": "none_on_fixed_target",
  "exploitability_confidence": "none_for_bypass",
  "evidence_scope": "source_inspection_and_local_cli_semantics_probe_with_fixed_commit_identity",
  "runtime_manifest_present": true,
  "end_to_end_target_reached": false,
  "inferred": false,
  "claim_block_reason": "The fixed commit invokes curl directly with discrete argv entries and eliminates /bin/sh -c from the cron-trigger CronJob generation path; tested alternate header/body encodings do not regain shell command execution.",
  "blocking_mitigation": "Exec-form Command [\"curl\"] plus Args curlArgs and --data-raw for body content in pkg/platform/kube/functionres/lazy.go.",
  "file_path": "pkg/platform/kube/functionres/lazy.go",
  "line_start": 2142,
  "line_end": 2213,
  "secondary_anchors": [
    {
      "file_path": "pkg/platform/kube/functionres/lazy_test.go",
      "line_start": 972,
      "line_end": 1160
    }
  ],
  "review_scope_paths": [
    "pkg/platform/kube/functionres/lazy.go",
    "pkg/platform/kube/functionres/lazy_test.go",
    "pkg/processor/trigger/cron",
    "cmd/controller"
  ],
  "artifact_refs": {
    "variant_manifest": "bundle/vuln_variant/variant_manifest.json",
    "validation_verdict": "bundle/vuln_variant/validation_verdict.json",
    "runtime_manifest": "bundle/vuln_variant/runtime_manifest.json",
    "repro_log": "bundle/logs/vuln_variant/reproduction_steps.log",
    "root_cause_equivalence": "bundle/vuln_variant/root_cause_equivalence.json",
    "reproducer": [
      "bundle/vuln_variant/reproduction_steps.sh"
    ]
  }
}
