{
  "stage": "vuln_variant",
  "claim_outcome": "not_confirmed_variant",
  "variant_result": "no_bypass_found",
  "repro_result": "confirmed_on_vulnerable_only",
  "validated_surface": "library_api",
  "evidence_scope": "production_path",
  "claimed_impact_class": "authz_bypass",
  "observed_impact_class": "authz_bypass",
  "exploitability_confidence": "none",
  "attacker_controlled_input": "URL path with encoded slash %2F (and nested/variant encodings) in a path-parameter position, sent without the required credential header to a Fastify server guarding a parameterized route with @fastify/middie middleware",
  "trigger_path": "Request URL -> lib/engine.js run() -> normalizePathForMatching() (sole decode sink) -> Holder.done() regexp.exec(normalizedUrl) decides whether the parameterized guard runs. 9.3.2 decodes %2F->'/' (guard skipped, route dispatched, 200). 9.3.3 safeDecodeURI preserves %2F (guard matches, 401).",
  "end_to_end_target_reached": true,
  "sanitizer_used": false,
  "crash_observed": false,
  "read_write_primitive_observed": false,
  "exploit_chain_demonstrated": false,
  "inferred": false,
  "blocking_mitigation": "9.3.3 fix (commit 61d90cd) aligns the sole path-decode sink normalizePathForMatching in lib/engine.js with find-my-way's safeDecodeURI, preserving %2F/%2f in middleware matching exactly as the router does during lookup; decodeNestedPercentEncodedBytes (%25XX->%XX) cannot recreate a literal slash; companion commit 01acaed rejects malformed percent-encoding with 400. Verified single decode sink via search_code, so all entry points (all hooks, top-level use, encapsulated prefixed use, all HTTP methods) are covered. 0 fixed-build bypasses across ~60 candidate probes (24 on vulnerable 9.3.2).",
  "candidate_matrix_summary": {
    "total_candidate_probes": 60,
    "vulnerable_9_3_2_bypasses": 24,
    "fixed_9_3_3_bypasses": 0,
    "fixed_is_latest_published": true,
    "candidate_categories": [
      "single-encoded %2F / %2f / mixed / multiple / param-only",
      "double/triple/quad-encoded %252F / %25252F / %2525252F (not bypass vectors on either build; single-pass decoder)",
      "bare %25 / %252 nested-percent edge cases",
      "query string / trailing slash / duplicate leading slash / semicolon matrix params",
      "router-option combinations (ignoreTrailingSlash, ignoreDuplicateSlashes, useSemicolonDelimiter, alone + combined)",
      "structural: multi-param guards, prefix (end:false) guard",
      "method-agnosticism (GET/POST/PUT/PATCH/DELETE/HEAD/OPTIONS)",
      "alternate entry point: encapsulated prefixed plugin use()"
    ]
  },
  "control_check": {
    "original_percent2F_bypasses_vulnerable": true,
    "original_percent2F_bypasses_fixed": false,
    "harness_valid": true
  },
  "verdict": "NO distinct variant or bypass of the 9.3.3 fix found. The fix is complete for the encoded-slash-in-parameter bypass class. Negative variant result."
}
