Real AST-based vulnerability scanning for AI-generated code. FRACTURE detects the patterns that AI code generators produce under time pressure: subprocess(shell=True), eval/exec, pickle.loads, yaml.load, SQL f-strings, hardcoded API keys, SSTI templates. Eight subsystems from static analysis through live endpoint probing, LLM-augmented exploit generation, kill chain assembly, and Ed25519-signed reports. Every vulnerability class your AI coding agent introduces — found, exploited, and chained.
Every phase of AI-generated code exploitation from static analysis through kill chain assembly. OPEN gate for scanning. INJECT gate for live probing and exploit generation. UNLEASHED gate for kill chain execution and annihilate.
Real AST-based Python analysis via PythonASTScanner. Walks ast.Call, ast.JoinedStr, ast.BinOp, ast.Assign. Detects eval/exec/pickle.loads/yaml.load/subprocess(shell=True)/SQL f-strings/hardcoded secrets/insecure random/weak crypto. AiCodeDetector scores AI probability via comment density + generic variable names + try/except pass. GenericScanner regex for JS/TS/Go/PHP/Java/Ruby/C#. 8 supported languages.
CVE_CLASS_DB cross-references 10 CVEs against detected vulnerability patterns: CVE-2025-67644 LangGraph SQLite injection CVSS 9.0, CVE-2025-68664 LangChain pickle RCE CVSS 9.3, CVE-2026-34070 LangChain path traversal, CVE-2026-25592 Semantic Kernel .NET SSRF CVSS 9.1, CVE-2026-26030 SK Python SSTI CVSS 8.8, CVE-2017-18342 yaml.load CVSS 9.8. 10 PRIVESC_PATTERNS: docker socket, K8s serviceaccount, cloud metadata SSRF, IAM AssumeRole.
Live endpoint probing with PROBE_PAYLOADS per vuln class: sql_injection, command_injection, ssti, path_traversal, ssrf, xss. Three confirmation methods: error_pattern (response text matching), timing (TIMING_THRESHOLD=2.5s blind detection), reflection ({{7*7}}=49 for SSTI). probe_disclosure() checks debug endpoints and error message leakage.
LLM-augmented exploit generation via claude-sonnet-4-6 when ANTHROPIC_API_KEY available. Generates target-specific, working Python exploits from vulnerability findings and CVE data. Six hardcoded EXPLOIT_TEMPLATES fallback when no API key: sql_injection, command_injection, ssti, path_traversal, hardcoded_secret, deserialization. ExploitCode.save() writes file chmod 0o750.
Kill chain assembly from individual findings. KILL_CHAIN_PHASE map: ssrf→INITIAL_ACCESS, path_traversal→INITIAL_ACCESS, sql_injection→CREDENTIAL_ACCESS, yaml_unsafe→PERSISTENCE, command_injection→RCE. WMD class triggered when average CVSS ≥8.0. KillChainAssembler generates syntactically valid Python master script. MITRE ATT&CK technique ID mapping.
Safe subprocess-based exploit validation. ExploitVerifier writes exploit to temp file and executes with 15s timeout. SUCCESS_INDICATORS per vuln class checked in stdout+stderr. Blind injection detected via TimeoutExpired (sql_injection, command_injection). syntax_check() via ast.parse without execution. run_suite() aggregates results with confidence 0.0–1.0.
26 SECRET_PATTERNS: OpenAI sk-proj-, Anthropic sk-ant-api03-, AWS AKIA[0-9A-Z]{16}, GitHub ghp_/github_pat_, Google AIza, Slack xox, Stripe sk_live_, HuggingFace hf_, Azure OpenAI, PEM private keys, database URLs, Bearer tokens, Basic auth. Shannon entropy analysis ≥4.5 threshold for unrecognised tokens. Git history scanning via subprocess git log + git show for last 200 commits.
Ed25519-signed FRC-{hex12} reports via PyNaCl. Risk score 0–10, forced ≥8.5 when any CRITICAL finding. Per-finding remediation guidance. JSON, Markdown, and text formats. ANNIHILATE chain: full SCAN→HUNT→HARVEST→FORGE→CHAIN→REPORT automation. Operator-locked UNLEASHED scope via ~/.red-specter/specter-fracture/.
FRACTURE HUNT cross-references every finding against known CVEs in AI/ML frameworks. Ten entries in CVE_CLASS_DB. Each CVE maps to a specific vuln_class, CVSS score, and exploit pathway.
| CVE / CWE | Framework | Class | CVSS | Impact |
|---|---|---|---|---|
| CVE-2025-67644 | LangGraph | sql_injection | 9.0 | SQLite injection via NL-to-SQL agent, unrestricted DDL/DML |
| CVE-2025-68664 | LangChain | deserialization | 9.3 | pickle.loads via PythonREPLTool, arbitrary RCE via prompt injection |
| CVE-2026-34070 | LangChain | path_traversal | 7.5 | Path traversal in document loader, arbitrary file read |
| CVE-2026-25592 | Semantic Kernel .NET | ssrf | 9.1 | HttpPlugin SSRF to cloud metadata and internal services |
| CVE-2026-26030 | Semantic Kernel Python | ssti | 8.8 | Jinja2 template injection via AI-generated prompt templates |
| CVE-2017-18342 | PyYAML | yaml_unsafe | 9.8 | yaml.load() without Loader allows arbitrary Python object instantiation |
| CWE-78 | Python stdlib | command_injection | 10.0 | subprocess(shell=True) with unvalidated user input |
| CWE-798 | All | hardcoded_secret | 9.3 | API keys/credentials hardcoded by AI code generators |
| CWE-918 | All | ssrf | 7.7 | Unrestricted URL fetch enables cloud metadata SSRF |
| CVE-2026-44338 | PraisonAI/Generic | missing_auth | 7.5 | Unauthenticated admin API in AI-generated route handlers |
Five WMD classes specific to AI-generated code exploitation. Triggered when kill chain CVSS average ≥8.0 or specific critical findings confirmed. Require UNLEASHED gate clearance.
Remote code execution via AI-generated vulnerability: eval/exec, subprocess(shell=True), pickle.loads, yaml.load, SSTI. Highest severity — full OS access from application-layer flaw.
Credential exfiltration from AI-generated code: hardcoded API keys, AWS AKIA, Anthropic sk-ant-, GitHub PATs embedded in source. Keys often survive removal in git history.
Full kill chain assembled from AI-generated code flaws: INITIAL_ACCESS through PRIVILEGE_ESCALATION in a single automated campaign. Triggered when average CVSS across chain ≥8.0.
Supply chain attack via AI-generated dependencies: unpinned vulnerable packages, typosquatted imports, postinstall hooks with subprocess execution. Affects every downstream consumer.
Privilege escalation via AI-generated configuration: Docker privileged:true + /:/host volume, K8s automountServiceAccountToken, docker socket mount. Container escape to host root from AI-generated docker-compose.yml or Kubernetes manifests added "for convenience".
Install, auth, and scan your first AI-generated codebase in under two minutes.
Three-tier Ed25519-signed gate system. One private key. One operator. Scopes stored in ~/.red-specter/specter-fracture/.
SCAN (static analysis, AI code detection), REPORT (build, verify). No auth required beyond CLI installation. Safe for CI/CD pipeline integration.
HUNT (CVE mapping, privesc detection), PROBE (live endpoint testing), FORGE (exploit generation), VERIFY (exploit execution), HARVEST (secret extraction, git history). Requires Ed25519 scope token.
CHAIN (kill chain assembly, master script generation), ANNIHILATE (full SCAN→HUNT→HARVEST→FORGE→CHAIN→REPORT). Requires --confirm-destroy flag + UNLEASHED-tier scope token. WMD class activation.