{
  "variant_id": "CVE-2026-35025-DELE-bypass",
  "created_at": "2026-07-01T15:00:00Z",
  "variant_summary": "Bypass of the proposed CVE-2026-35025 RNFR-only fix using the DELE command, which shares the same dir_canonical_path()+dir_check() root cause.",
  "relation": "newer_version_sibling",
  "origin_kind": "pruva_variant",
  "repository": "proftpd/proftpd",
  "submitted_target": {
    "target_kind": "git_commit",
    "commit_sha": "390b21555268bbc64b66d2dfa7ae40476419b80f",
    "version": "v1.3.9b",
    "ref": "refs/tags/v1.3.9b",
    "display": "proftpd/proftpd v1.3.9b (390b2155)"
  },
  "variant_target": {
    "target_kind": "git_commit",
    "commit_sha": "390b21555268bbc64b66d2dfa7ae40476419b80f",
    "version": "v1.3.9b + proposed RNFR patch",
    "ref": "repo-patched worktree",
    "display": "proftpd/proftpd v1.3.9b (390b2155) with the one-line RNFR dir_check->dir_check_canon patch applied"
  },
  "same_root_cause_confidence": "high",
  "same_surface_confidence": "high",
  "claimed_surface": "network_protocol",
  "validated_surface": "network_service",
  "required_entrypoint_kind": "network_service",
  "required_entrypoint_detail": "Authenticated FTP session; DELE command over the FTP control connection; non-chrooted server with DenyAll Directory ACL",
  "attacker_controlled_input": "DELE path argument prefixed with /proc/self/root",
  "trigger_path": "ProFTPD DELE command handler (core_dele in modules/mod_core.c) -> dir_canonical_path() -> dir_check()",
  "observed_impact_class": "authz_bypass_file_deletion",
  "exploitability_confidence": "high",
  "evidence_scope": "production_path",
  "runtime_manifest_present": true,
  "end_to_end_target_reached": true,
  "inferred": false,
  "claim_block_reason": null,
  "blocking_mitigation": null,
  "file_path": "modules/mod_core.c",
  "line_start": 6090,
  "line_end": 6110,
  "secondary_anchors": [
    {
      "file_path": "modules/mod_core.c",
      "line_start": 6479,
      "line_end": 6482
    },
    {
      "file_path": "src/support.c",
      "line_start": 377,
      "line_end": 415
    },
    {
      "file_path": "src/dirtree.c",
      "line_start": 1950,
      "line_end": 2110
    }
  ],
  "review_scope_paths": [
    "modules/mod_core.c",
    "src/support.c",
    "src/dirtree.c",
    "modules/mod_facts.c"
  ],
  "artifact_refs": {
    "variant_manifest": "bundle/vuln_variant/variant_manifest.json",
    "validation_verdict": "bundle/vuln_variant/validation_verdict.json",
    "runtime_manifest": "bundle/vuln_variant/runtime_manifest.json",
    "repro_log": "bundle/logs/variant_reproduction_steps.log",
    "root_cause_equivalence": "bundle/vuln_variant/root_cause_equivalence.json",
    "reproducer": ["bundle/vuln_variant/reproduction_steps.sh"]
  }
}
