How it works
Advisory to runnable proof, autonomously.
Analyze the advisory
An AI agent reads the GHSA or CVE, pulls the vulnerable package, and understands the vulnerability's root cause.
Reproduce in a sandbox
The agent builds a faithful copy of the affected software and fires the exploit, capturing the crash, the leak, or the shell.
Publish verifiable proof
A self-contained script, a session replay, and a permanent REPRO ID. Run pruva-verify to see it fire yourself.
Latest
Verified Reproductions
Log4j MapMessage emits invalid JSON for non-finite values
Samba’s printing subsystem allows OS command injection via unescaped job description (%J), enabling remote code execution through crafted print jobs.
XRING: Alibaba XQUIC QPACK ring-buffer resize underflow
Nuclio cron trigger shell command injection leading to RCE
Apache Tomcat partial PUT session deserialization RCE
Apache Kafka SASL/OAUTHBEARER accepts unvalidated JWTs
The identifier
Why REPRO IDs?
Verified Proof
Each reproduction includes executable scripts, session replays, and before/after evidence proving the vulnerability exists.
Permanent Citation
REPRO IDs are permanent, citable references. Link CVEs, GHSAs, and issues to verified reproductions.
Full Transparency
Watch session replays showing exactly how the agent reproduced the issue. Nothing hidden, everything auditable.
Cite it
Embed in Your README
Show that your security advisory has been independently verified with an embeddable badge.
Don't take the advisory's word for it. Run it.
Browse the full catalog of autonomously reproduced vulnerabilities — each with a runnable proof and a permanent REPRO ID.
Browse All Reproductions →