{
  "variant_id": "vuln_variant_01d1f53a_dot_slash_telegram",
  "created_at": "2026-07-03T14:45:00Z",
  "variant_summary": "Alternate traversal alias ./telegram in the Authorization header bypasses the reserved-name check in fast-mcp-telegram <= 0.19.0 and resolves to the default telegram.session, enabling the same authz bypass as the parent CVE. The alias is blocked by the 0.19.1 token whitelist, so it is not a fix bypass.",
  "relation": "alternate_trigger",
  "origin_kind": "pruva_variant",
  "repository": "leshchenko1979/fast-mcp-telegram",
  "submitted_target": {
    "target_kind": "pypi_version",
    "commit_sha": null,
    "version": "0.19.0",
    "ref": "fast-mcp-telegram==0.19.0",
    "display": "fast-mcp-telegram 0.19.0 (PyPI)"
  },
  "variant_target": {
    "target_kind": "pypi_version",
    "commit_sha": null,
    "version": "0.19.0",
    "ref": "fast-mcp-telegram==0.19.0",
    "display": "fast-mcp-telegram 0.19.0 (PyPI) with fixed 0.19.1 comparison"
  },
  "same_root_cause_confidence": "high",
  "same_surface_confidence": "high",
  "claimed_surface": "api_remote",
  "validated_surface": "api_remote",
  "required_entrypoint_kind": "api_remote",
  "required_entrypoint_detail": "POST /v1/mcp with Authorization: Bearer ./telegram",
  "attacker_controlled_input": "HTTP Authorization header containing the Bearer token traversal alias ./telegram",
  "trigger_path": "POST /v1/mcp -> SessionFileTokenVerifier.verify_token() -> session_dir / './telegram.session' -> resolves to telegram.session",
  "observed_impact_class": "authz_bypass",
  "exploitability_confidence": "high",
  "evidence_scope": "production_path",
  "runtime_manifest_present": true,
  "end_to_end_target_reached": true,
  "inferred": false,
  "claim_block_reason": "blocking_mitigation",
  "blocking_mitigation": "fixed in fast-mcp-telegram 0.19.1 by a strict bearer-token regex (^[A-Za-z0-9_-]{43}$) and a resolved-path containment check in session_file_path(); the ./telegram alias is rejected before any filesystem access",
  "file_path": "src/server_components/session_token_verifier.py",
  "line_start": 60,
  "line_end": 70,
  "secondary_anchors": [
    {
      "file_path": "src/server_components/auth_middleware.py",
      "line_start": 70,
      "line_end": 100
    },
    {
      "file_path": "src/client/connection.py",
      "line_start": 285,
      "line_end": 295
    },
    {
      "file_path": "src/server_components/session_token_validation.py",
      "line_start": 45,
      "line_end": 67
    }
  ],
  "review_scope_paths": [
    "src/server_components/session_token_verifier.py",
    "src/server_components/auth_middleware.py",
    "src/server_components/auth.py",
    "src/client/connection.py",
    "src/server_components/web_setup.py",
    "src/server_components/session_token_validation.py"
  ],
  "artifact_refs": {
    "variant_manifest": "bundle/vuln_variant/variant_manifest.json",
    "validation_verdict": "bundle/vuln_variant/validation_verdict.json",
    "runtime_manifest": "bundle/vuln_variant/runtime_manifest.json",
    "repro_log": "bundle/logs/variant_reproduction_steps_run2.log",
    "root_cause_equivalence": "bundle/vuln_variant/root_cause_equivalence.json",
    "reproducer": [
      "bundle/vuln_variant/reproduction_steps.sh"
    ]
  }
}
