{
  "verdict": "confirmed_alternate_trigger_not_bypass",
  "variant_confirmed": true,
  "bypass_confirmed": false,
  "claim_outcome": "confirmed_alternate_trigger_not_bypass",
  "claim_block_reason": "The Web UI /save-document alternate entrypoint is removed by the tested fixed commit, so it does not bypass the patch.",
  "repro_result": "confirmed_on_vulnerable_only",
  "validated_surface": "api_remote",
  "evidence_scope": "production_path",
  "claimed_impact_class": "code_execution",
  "observed_impact_class": "code_execution",
  "exploitability_confidence": "high",
  "attacker_controlled_input": "Unauthenticated POST to the Feast Web UI /save-document endpoint with attacker-controlled file_path and JSON data, followed by Feast Feature Server startup consuming the written JSON through load_static_artifacts().",
  "trigger_path": "POST /save-document on feast.ui_server -> SaveDocumentRequest(file_path,data) -> Path(file_path).resolve() -> naive str(file_path).startswith(os.getcwd()) check bypass when cwd=/ -> write ui_variant_static_artifacts-labels.json -> Feast Feature Server startup -> load_static_artifacts() imports feature_repo/static_artifacts.py -> deployment component consumes attacker-written JSON -> startup hook executes",
  "end_to_end_target_reached": true,
  "fixed_target_reached": false,
  "sanitizer_used": false,
  "crash_observed": false,
  "read_write_primitive_observed": true,
  "exploit_chain_demonstrated": true,
  "blocking_mitigation": "Commit 4018e7b0c39825a5647fb17fc5607d72fb4bc0ce removes the Web UI /save-document endpoint as well as the Feature Server document endpoints. The fixed UI server reports HAS_SAVE_DOCUMENT=False and returns HTTP 405 for POST /save-document without writing a file.",
  "tested_versions": {
    "vulnerable_commit": "be1b52227e1ade9a3be9836391ade45eb1a26909",
    "fixed_commit": "4018e7b0c39825a5647fb17fc5607d72fb4bc0ce",
    "latest_origin_master": "f296d4ba14c5d512429219b2b7845673e0fe524d"
  },
  "runtime_evidence": {
    "reproducer": "bundle/vuln_variant/reproduction_steps.sh",
    "top_level_log": "bundle/logs/vuln_variant/reproduction_steps.log",
    "vulnerable_writer_log": "bundle/logs/vuln_variant/vuln_ui_writer.log",
    "vulnerable_consumer_log": "bundle/logs/vuln_variant/vuln_feature_consumer.log",
    "fixed_writer_log": "bundle/logs/vuln_variant/fixed_ui_writer.log",
    "marker": "bundle/vuln_variant/artifacts/ui_variant_rce_marker.vulnerable.txt"
  },
  "inferred": false
}
