[INFO] ToolHive CVE-2026-58196 reproduction started at 2026-07-16T08:20:18Z [INFO] Source v0.30.0 commit: bc4beddb921523d1f314b82b5b9d4249ee0a605b [INFO] Source v0.31.0 commit: 493d030ed24b8c012db4c5717475a2386f5b72ce [WARN] Could not bind 198.18.0.10; falling back to 127.0.0.1. Fixed version may allow localhost metadata for intentionally internal targets. [INFO] === vulnerable attempt 1 using ToolHive v0.30.0 Commit: bc4beddb921523d1f314b82b5b9d4249ee0a605b Built: 2026-06-17 16:38:55 UTC Go version: go1.26.4 Platform: linux/amd64 === [INFO] vulnerable attempt 1: malicious requests=6, canary requests=1 [INFO] === vulnerable attempt 2 using ToolHive v0.30.0 Commit: bc4beddb921523d1f314b82b5b9d4249ee0a605b Built: 2026-06-17 16:38:55 UTC Go version: go1.26.4 Platform: linux/amd64 === [INFO] vulnerable attempt 2: malicious requests=6, canary requests=1 [INFO] === fixed attempt 1 using ToolHive v0.31.0 Commit: 493d030ed24b8c012db4c5717475a2386f5b72ce Built: 2026-06-24 19:50:53 UTC Go version: go1.26.4 Platform: linux/amd64 === [INFO] fixed attempt 1: malicious requests=6, canary requests=0 [INFO] === fixed attempt 2 using ToolHive v0.31.0 Commit: 493d030ed24b8c012db4c5717475a2386f5b72ce Built: 2026-06-24 19:50:53 UTC Go version: go1.26.4 Platform: linux/amd64 === [INFO] fixed attempt 2: malicious requests=6, canary requests=0 [INFO] Vulnerable canary-hit attempts: 2/2 [INFO] Fixed canary-hit attempts: 0/2 [CONFIRMED] CVE-2026-58196 reproduced with vulnerable/fixed divergence.