{
  "claim_outcome": "confirmed",
  "claim_block_reason": null,
  "repro_result": "confirmed",
  "validated_surface": "library_api",
  "evidence_scope": "production_path",
  "claimed_impact_class": "authz_bypass",
  "observed_impact_class": "authz_bypass",
  "exploitability_confidence": "high",
  "attacker_controlled_input": "Small-order Ed25519 public key (identity point 0x01+31 zeros, or order-8 point c7176a70...037a) and crafted signature with S=0 and low-order R component, supplied to subtle.importKey and subtle.verify",
  "trigger_path": "subtle.importKey(raw, smallOrderPubKey, {name:'Ed25519'}) -> subtle.verify({name:'Ed25519'}, key, craftedSig, message) -> SignTraits::DeriveBits Mode::Verify in crypto_sig.cc -> context.verify() (OpenSSL EVP_DigestVerifyFinal, cofactorless) -> returns 1 for small-order points -> buf[0]=1 (verify result true)",
  "end_to_end_target_reached": true,
  "sanitizer_used": false,
  "crash_observed": false,
  "read_write_primitive_observed": false,
  "exploit_chain_demonstrated": true,
  "blocking_mitigation": null,
  "inferred": false
}
