{
  "root_cause": "GraalVM polyglot Context objects created with full host access (HostAccess.ALL for JS, allowAllAccess(true) for Python), allowing user-supplied script expressions to bootstrap Java reflection or Java interop to reach java.lang.Runtime.exec() for arbitrary OS command execution. The unauthenticated Conductor REST API allows any remote attacker to register and execute workflows containing these expressions.",
  "parent_sink": "ScriptEvaluator.createNewContext() [JS] + PythonEvaluator.evaluate() [Python] — two GraalVM Context creation sites",
  "variant_sinks": [
    {
      "variant_id": "A",
      "sink": "PythonEvaluator.evaluate() -> Context.newBuilder(\"python\").allowAllAccess(true).build()",
      "same_root_cause": true,
      "confidence": "high",
      "rationale": "Same vulnerability class (full host access GraalVM context), different context builder (Python vs JS), same unauthenticated API entry point, same impact (Runtime.exec RCE). The fix patches this sink separately (removes allowAllAccess(true))."
    },
    {
      "variant_id": "B",
      "sink": "Lambda.execute() -> ScriptEvaluator.eval(\"function scriptFun(){<expr>} scriptFun();\", taskInput) -> createNewContext()",
      "same_root_cause": true,
      "confidence": "high",
      "rationale": "Same sink (ScriptEvaluator.createNewContext with HostAccess.ALL), different task type (LAMBDA vs INLINE), different expression wrapping (function wrapper vs bare expression). The fix patches the shared sink."
    },
    {
      "variant_id": "C",
      "sink": "GraalJSEvaluator.evaluate() -> ScriptEvaluator.eval(expression, inputCopy) -> createNewContext()",
      "same_root_cause": true,
      "confidence": "high",
      "rationale": "Same sink (ScriptEvaluator.createNewContext with HostAccess.ALL), different evaluator alias (graaljs vs javascript). GraalJSEvaluator delegates to ScriptEvaluator.eval(). The fix patches the shared sink."
    }
  ],
  "fix_coverage": "complete",
  "fix_analysis": "The fix (commits 87a7d96 + c691e35, release 3.30.2) patches both GraalVM context creation sites: ScriptEvaluator.createNewContext() with denyAccess + allowHostClassLoading(false) + allowCreateProcess(false) + allowIO(IOAccess.NONE) + js.load=false; PythonEvaluator with allowAllAccess(true) removed. All entry points funnel through these two sinks. No bypass found.",
  "equivalence_assessment": "All three variants share the same root cause (full-host-access GraalVM context + unauthenticated API). Variants A and B/C reach different sinks (PythonEvaluator vs ScriptEvaluator) but the underlying vulnerability class is identical. The fix covers both sinks. Variant C is an alias of the original trigger (same sink, different evaluator name)."
}
