{
  "variant_id": "CVE-2026-34752-variant-analysis",
  "created_at": "2026-04-04T12:45:00Z",
  "variant_summary": "Systematic variant testing of CVE-2026-34752 prototype pollution fix - no bypass found",
  "relation": "newer_version_sibling",
  "origin_kind": "pruva_variant",
  "repository": "https://github.com/haraka/email-message",
  "submitted_target": {
    "target_kind": "npm_package",
    "version": "1.2.0",
    "display": "haraka-email-message@1.2.0 (vulnerable)"
  },
  "variant_target": {
    "target_kind": "npm_package",
    "commit_sha": "2378d699ee68a7e55bbfedbedc9f1effb5a06c21",
    "version": "1.3.2",
    "display": "haraka-email-message@1.3.2 (fixed)"
  },
  "same_root_cause_confidence": "high",
  "same_surface_confidence": "high",
  "claimed_surface": "header.parse() prototype pollution via __proto__ key",
  "validated_surface": "header parsing with prototype pollution keys",
  "required_entrypoint_kind": "library_api",
  "required_entrypoint_detail": "Header.parse() method and header.add() method",
  "attacker_controlled_input": "email header key names including __proto__, __PROTO__, constructor, prototype",
  "trigger_path": "Header.parse() or header.add() -> _add_header() -> prototype pollution attempt",
  "observed_impact_class": "none_no_bypass",
  "exploitability_confidence": "low",
  "evidence_scope": "isolated_harness",
  "runtime_manifest_present": false,
  "end_to_end_target_reached": true,
  "inferred": false,
  "claim_block_reason": null,
  "blocking_mitigation": "Object.create(null) and explicit key guards prevent all tested variants",
  "file_path": "lib/header.js",
  "line_start": 216,
  "line_end": 220,
  "secondary_anchors": [
    {
      "file_path": "lib/header.js",
      "line_start": 103,
      "line_end": 104
    }
  ],
  "review_scope_paths": [
    "lib/header.js"
  ],
  "artifact_refs": {
    "variant_manifest": "vuln_variant/variant_manifest.json",
    "validation_verdict": "vuln_variant/validation_verdict.json",
    "repro_log": "logs/variant_test.log"
  }
}