{
  "entrypoint_kind": "tcp_peer",
  "entrypoint_detail": "HTTP/2 client sends crafted HEADERS/DATA frames to varnishd; backend HTTP/1 conversation is inspected for a second, attacker-controlled request",
  "service_started": true,
  "healthcheck_passed": true,
  "target_path_reached": false,
  "runtime_stack": [
    "varnishd",
    "vinyltest/varnishtest",
    "tcp_peer",
    "http2"
  ],
  "proof_artifacts": [
    "logs/variant_summary.txt",
    "logs/variant_ca_vuln.log",
    "logs/variant_ca_fixed.log",
    "logs/variant_f00019_fixed.log"
  ],
  "notes": "Vulnerable source dc27a2dce662015cf79bbda5ff193b6bb74ba2d1 (9.0.2) still smuggles with :a. Fixed source 0a625649cd40af4b6c10be5e58a2e89a5e275baa (9.0.3) rejects every tested prefix pseudo-header variant with RST_STREAM PROTOCOL_ERROR; upstream f00019.vtc passes. No bypass found."
}
