{
  "claim_outcome": "confirmed",
  "claim_block_reason": null,
  "repro_result": "confirmed",
  "validated_surface": "library_api",
  "evidence_scope": "production_path",
  "claimed_impact_class": "authz_bypass",
  "observed_impact_class": "authz_bypass",
  "exploitability_confidence": "high",
  "attacker_controlled_input": "URL path with encoded slash %2F in the parameter position, e.g. GET /user/a%2Fb/comments sent without the x-api-key header",
  "trigger_path": "Middie normalizePathForMatching (lib/engine.js) decodes %2F to '/' via FindMyWay.sanitizeUrlPath before matching the parameterized guard /user/:id/comments, so the guard regexp fails to match while Fastify's router (find-my-way) preserves %2F and still dispatches the /user/:id/comments handler; the unauthenticated request reaches the protected handler (HTTP 200).",
  "end_to_end_target_reached": true,
  "sanitizer_used": false,
  "crash_observed": false,
  "read_write_primitive_observed": false,
  "exploit_chain_demonstrated": false,
  "blocking_mitigation": null,
  "inferred": false
}
