Forge-CRS — Autonomous Cyber Reasoning System
Verification Report
Verification Report - Forge-CRS
Status: PASS | Checks passed: 37 / 37 (100%) | Seed: 1337 | Generated: 2026-06-25T20:43:25.678Z
What is verified
The CRS is run end-to-end, unattended, over the benchmark of seeded real-world vulnerability classes. For each target the verifier asserts the full autonomous loop succeeded: the bug was discovered by coverage-guided fuzzing of the *unpatched* code, classified to the correct CWE, reduced to a minimal PoV, patched by source rewrite, the PoV neutralized by that patch, and every functional regression case still passes. Global gates assert the whole pipeline closed every target, coverage guidance was live, and two identically-seeded runs are bit-for-bit identical.
Campaign summary
Discovered 5/5 · classified 5/5 · remediated 5/5 · wall-clock 4696ms.
| Target | CWE | Status | Execs | PoV (min) | PoV neutralized | Regression |
|---|---|---|---|---|---|---|
| config-merge | CWE-1321 Prototype Pollution | REMEDIATED | 3 | 31B {"__proto__":{"polluted":true}} | yes | 2/2 |
| path-store | CWE-22 Path Traversal | REMEDIATED | 189 | 2B .. | yes | 2/2 |
| task-runner | CWE-78 OS Command Injection | REMEDIATED | 14 | 1B \n | yes | 1/1 |
| regex-validate | CWE-1333 ReDoS (catastrophic backtracking) | REMEDIATED | 40 | 23B aaaaaaaaaaaaaaaaaaaaaa! | yes | 4/4 |
| binary-reader | CWE-125 Out-of-bounds Read | REMEDIATED | 5 | 2B 0xff7f | yes | 2/2 |
Checks
| Check | Detail | Result |
|---|---|---|
| config-merge: vulnerability discovered by fuzzing unpatched code | 3 executions, signal=PROTOTYPE_POLLUTION | PASS |
| config-merge: classified to ground-truth CWE-1321 | classifier said CWE-1321 | PASS |
| config-merge: PoV minimized to a tight reproducer | 53 -> 31 bytes [{"__proto__":{"polluted":true}}] | PASS |
| config-merge: patch synthesized & applied | Refuse to merge the dangerous keys __proto__/constructor/prototype. | PASS |
| config-merge: PoV neutralized by patch (hole closed) | oracle no longer fires on PoV | PASS |
| config-merge: functional regression preserved | 2/2 cases pass | PASS |
| config-merge: coverage guidance was live (V8 block coverage) | coverageActive=true, blocks=11 | PASS |
| path-store: vulnerability discovered by fuzzing unpatched code | 189 executions, signal=PATH_TRAVERSAL | PASS |
| path-store: classified to ground-truth CWE-22 | classifier said CWE-22 | PASS |
| path-store: PoV minimized to a tight reproducer | 14 -> 2 bytes [..] | PASS |
| path-store: patch synthesized & applied | Resolve against the base and reject any path that escapes it. | PASS |
| path-store: PoV neutralized by patch (hole closed) | oracle no longer fires on PoV | PASS |
| path-store: functional regression preserved | 2/2 cases pass | PASS |
| path-store: coverage guidance was live (V8 block coverage) | coverageActive=true, blocks=2 | PASS |
| task-runner: vulnerability discovered by fuzzing unpatched code | 14 executions, signal=COMMAND_INJECTION | PASS |
| task-runner: classified to ground-truth CWE-78 | classifier said CWE-78 | PASS |
| task-runner: PoV minimized to a tight reproducer | 22 -> 1 bytes [\n] | PASS |
| task-runner: patch synthesized & applied | Pass the file name as an argv element instead of a shell string. | PASS |
| task-runner: PoV neutralized by patch (hole closed) | oracle no longer fires on PoV | PASS |
| task-runner: functional regression preserved | 1/1 cases pass | PASS |
| task-runner: coverage guidance was live (V8 block coverage) | coverageActive=true, blocks=2 | PASS |
| regex-validate: vulnerability discovered by fuzzing unpatched code | 40 executions, signal=REDOS_HANG | PASS |
| regex-validate: classified to ground-truth CWE-1333 | classifier said CWE-1333 | PASS |
| regex-validate: PoV minimized to a tight reproducer | 31 -> 23 bytes [aaaaaaaaaaaaaaaaaaaaaa!] | PASS |
| regex-validate: patch synthesized & applied | Replace the nested quantifier with an equivalent linear pattern. | PASS |
| regex-validate: PoV neutralized by patch (hole closed) | oracle no longer fires on PoV | PASS |
| regex-validate: functional regression preserved | 4/4 cases pass | PASS |
| binary-reader: vulnerability discovered by fuzzing unpatched code | 5 executions, signal=OUT_OF_BOUNDS_READ | PASS |
| binary-reader: classified to ground-truth CWE-125 | classifier said CWE-125 | PASS |
| binary-reader: PoV minimized to a tight reproducer | 6 -> 2 bytes [0xff7f] | PASS |
| binary-reader: patch synthesized & applied | Clamp the declared count to the bytes actually present. | PASS |
| binary-reader: PoV neutralized by patch (hole closed) | oracle no longer fires on PoV | PASS |
| binary-reader: functional regression preserved | 2/2 cases pass | PASS |
| binary-reader: coverage guidance was live (V8 block coverage) | coverageActive=true, blocks=3 | PASS |
| Full pipeline remediated every target | 5/5 REMEDIATED in 4696ms | PASS |
| Deterministic: identical seed -> identical outcomes | run1 == run2 | PASS |
| No regression failures across the campaign | 0 regression failure(s) | PASS |