CVE Hunting Python Repos with VulnHunter

Step 1: Installation

1. Install Python 3.10 (required for Vulnhuntr to work reliably). Example On Ubuntu:

   Copy

   sudo add-apt-repository ppa:deadsnakes/ppa
   sudo apt update
   sudo apt install python3.10 python3.10-venv python3.10-dev
   curl -sS https://bootstrap.pypa.io/get-pip.py | python3.10
   python3.10 -m pip install --user pipx
   python3.10 -m pipx ensurepath

2. Install Vulnhuntr using pipx:

   Copy

   pipx install git+https://github.com/protectai/vulnhuntr.git --python python3.10

Step 2: Running Vulnhuntr on Python Repositories

• Vulnhuntr works with all Python repositories, not just those hosted on Huntr. It analyzes any Python codebase locally or remotely, focusing on files handling user input for better vulnerability detection.

• Basic usage (scan entire Python repo):

  Copy

  vulnhuntr.py -r /path/to/target/repo  

• Target specific files (recommended to reduce token use and improve accuracy):

  Copy

  vulnhuntr.py -r /path/to/target/repo -a path/to/target_file.py  

  For example, target files that handle HTTP routes or user input, such as those containing @route decorators in FastAPI or Flask.

• Additional flags:

  • -l — select the LLM client (options: claude, gpt, ollama; default is claude)

  • -v — increase verbosity for detailed logs

Step 3: Analyze and Interpret Vulnhuntr Output

• Review the output carefully; it contains a scratchpad with step-by-step reasoning, an analysis section explaining the vulnerability, and proof-of-concept (PoC) exploits.

• Confidence scores:

  • 8+ = high-confidence vulnerability

  • 7 = suspicious, requires further investigation and tweaking

  • <6 = likely false positive

• Always manually verify findings; do not copy Vulnhuntr output directly to maintainers.

Step 4: Manual Testing and Verification

• Deploy or run the target project locally or in an isolated environment to reproduce vulnerabilities.

• Use tools like Burp Suite for intercepting requests, manual fuzzing, and exploit verification.

• Create manual proof-of-concept exploits to confirm impacts such as data leakage, command injection, or SSRF.

• Focus on high-confidence alerts for verification and modify PoCs if needed.

Step 5: Reporting and Applying for CVEs

• Prepare a detailed vulnerability report including:

  • Steps to reproduce

  • Impact assessment

  • Manual testing evidence

• Submit your findings via:

  • Huntr.com directly or through the project's Security tab on GitHub

• If accepted, Huntr can assist with applying for a CVE, or apply independently via the MITRE CVE request form: https://cveform.mitre.org/

Helpful Resources

• Step-by-step guide on getting your first CVE with Vulnhuntr: Hunting with Vulnhuntr: Getting Your First CVE

• Bug hunting introduction: Bug Hunting in AI/ML Tools

• Huntr participation guidelines: Huntr Participation Guidelines

• Manual security testing tutorial: Hands-on Practice with BurpSuite and MLflow