{ "variant_outcome": "distinct_variant_confirmed", "bypass_found": false, "variant_summary": "Confirmed a distinct variant using HEAD requests instead of GET. The HEAD method triggers the same root cause (unconsumed request body on static file handlers) but represents a different entry point. The fixed version (v0.40.0) properly handles this variant.", "tested_variants": [ { "variant_id": "v1_get_baseline", "description": "Original GET request smuggling (baseline)", "vulnerable_result": "confirmed", "fixed_result": "blocked", "is_novel": false }, { "variant_id": "v2_cl_te", "description": "CL+TE header confusion attack", "vulnerable_result": "not_exploitable", "fixed_result": "blocked", "is_novel": false }, { "variant_id": "v3_head", "description": "HEAD request smuggling (distinct variant)", "vulnerable_result": "confirmed", "fixed_result": "blocked", "is_novel": true, "note": "Same root cause as GET, different HTTP method" }, { "variant_id": "v4_oversized", "description": "Oversized body to test drain failure handling", "vulnerable_result": "connection_closed", "fixed_result": "connection_closed", "is_novel": false }, { "variant_id": "v5_http10", "description": "HTTP/1.0 with keep-alive", "vulnerable_result": "not_exploitable", "fixed_result": "not_exploitable", "is_novel": false } ], "fix_assessment": { "fix_version": "v0.40.0", "fix_commit": "6fd97aeca0faa1c6e1bd7ae8150c821dcff31c3b", "fix_complete": true, "bypassable": false, "covers_variant": true, "notes": "The fix comprehensively addresses both GET and HEAD variants through body draining mechanism" }, "blocking_mitigation": "The v0.40.0 fix adds body consumption tracking and post-processing drain that prevents both GET and HEAD variants. The CL+TE rejection provides additional defense in depth.", "evidence_location": "logs/vuln_variant/", "confidence": "high", "timestamp": "2026-04-03T15:45:00Z" }