{
  "root_cause_equivalence": "equivalent",
  "confidence": "high",
  "parent_root_cause": "Attacker-controlled Docker Destination network name is interpolated unsanitized into a shell command executed on the managed server over SSH via instant_remote_process() -> SshMultiplexingHelper::generateSshCommand() -> ssh root@<host> 'bash -se' << delim. Because the network becomes the body of a bash here-doc, shell metacharacters (; # $() backticks) are interpreted by the remote bash, yielding arbitrary command execution as root.",
  "parent_sink": "StandaloneDocker::created boot event -> instant_remote_process(['docker network inspect <network> ...'], $server) -> ssh 'bash -se' here-doc",
  "parent_entrypoint": "App\\Livewire\\Destination\\New\\Docker::submit() reading the validated $network Livewire property -> StandaloneDocker::create(['network'=>$this->network])",
  "variant_entrypoint": "App\\Livewire\\Server\\Destinations::add($name) taking the network as a Livewire method ARGUMENT (no #[Validate] property rule) -> StandaloneDocker::create(['network'=>$name])",
  "shared_sink": "App\\Models\\StandaloneDocker::created (app/Models/StandaloneDocker.php) -> instant_remote_process (bootstrap/helpers/remoteProcess.php) -> SshMultiplexingHelper::generateSshCommand (app/Helpers/SshMultiplexingHelper.php)",
  "shared_model": "App\\Models\\StandaloneDocker (the created boot event is identical in both paths on the vulnerable build)",
  "difference": "Only the entry point differs: the parent uses the destination.new.docker component's submit() with the network set as a validated public $network property; the variant uses the server.destinations component's add($name) method with the network passed as a call argument. Both converge on StandaloneDocker::create(['network'=>...]) -> StandaloneDocker::created -> instant_remote_process.",
  "fix_coverage_of_variant": "partial - PR #9228 added regex validation to the parent entry point's $network property but NOT to server.destinations.add($name). The variant is blocked on the fixed build solely by the setNetworkAttribute model mutator (defense in depth), which is also part of PR #9228. The fix's primary regex-validation layer does not cover the variant entry point.",
  "same_trust_boundary": true,
  "same_attacker_capability": true,
  "impact_parity": "full"
}
