{
  "verdict": "confirmed_alternate_trigger_no_fixed_bypass",
  "distinct_variant_confirmed": true,
  "fixed_version_bypass_confirmed": false,
  "variant_summary": "A malicious JSF ViewState value in a proxied HTTP request body reaches the same JSFViewState.decode/ObjectInputStream.readObject sink through the ViewState add-on request-panel factory on the vulnerable commit, but the fixed commit blocks it by removing the shared javax.faces.ViewState registration.",
  "repository": "https://github.com/zaproxy/zap-extensions",
  "tested_versions": {
    "vulnerable": {
      "commit_sha": "7e686c0900e82bb73b57880c0328d012269f8741",
      "role": "fixed_commit_parent",
      "result": "request_panel_variant_reproduced",
      "observed_impact_class": "code_execution"
    },
    "fixed": {
      "commit_sha": "ac6c3f94d38505bc0facea286a4d3728044c6e5c",
      "role": "fix_commit_viewstate_v4",
      "result": "blocked_no_deserialization",
      "observed_impact_class": "none"
    },
    "latest_inspected": {
      "commit_sha": "c639b4e3fe10e472cbe8542de7fbe3964b4d4ce7",
      "role": "default_cached_repo_head",
      "result": "source_inspection_shows_jsf_registration_still_commented_out"
    }
  },
  "entrypoint_kind": "proxied_http_request_body",
  "entrypoint_detail": "application/x-www-form-urlencoded request body containing javax.faces.ViewState=<Base64 serialized Java object>, processed by ExtensionHttpPanelViewStateView$RequestSplitBodyViewStateViewFactory",
  "same_root_cause": true,
  "same_root_cause_evidence": [
    "Vulnerable request-panel run reached org.zaproxy.zap.extension.viewstate.zap.utils.JSFViewState.decode(JSFViewState.java:92).",
    "Stack trace includes ViewStateModel.getData(ViewStateModel.java:183) and DefaultHttpPanelViewModel.setMessage(DefaultHttpPanelViewModel.java:42).",
    "Fixed request-panel run has ViewStateModel.has_jsf_registration=false and produced no marker/RCE output."
  ],
  "evidence": {
    "reproducer": "bundle/vuln_variant/reproduction_steps.sh",
    "runtime_manifest": "bundle/vuln_variant/runtime_manifest.json",
    "vulnerable_log": "bundle/logs/vuln_variant_request_vuln.log",
    "fixed_log": "bundle/logs/vuln_variant_request_fixed.log",
    "master_log": "bundle/logs/vuln_variant_reproduction_steps.log",
    "vulnerable_marker": "bundle/vuln_variant/artifacts/request_vuln_marker.txt",
    "vulnerable_rce_output": "bundle/vuln_variant/artifacts/request_vuln_rce_output.txt",
    "source_identity_text": "bundle/vuln_variant/artifacts/source_identity_request_variant.txt"
  },
  "script_exit_code_semantics": {
    "observed_exit_code": 1,
    "meaning": "Variant works on vulnerable version but not on fixed version; no fixed-version bypass."
  },
  "blocking_mitigation": "Commit ac6c3f94d38505bc0facea286a4d3728044c6e5c comments out the only javax.faces.ViewState registration in ViewStateModel, so neither request nor response panel models instantiate JSFViewState from proxied HTTP input.",
  "recommendation": "Keep JSF support disabled, add regression tests for both request and response ViewState panel factories, and remove or filter JSFViewState.decode() if JSF support is ever restored."
}
