{
  "variant_id": "CVE-2026-57527-request-panel-jsf-viewstate-alternate-trigger",
  "created_at": "2026-07-05T07:31:00Z",
  "variant_summary": "A malicious javax.faces.ViewState value in a proxied HTTP request body reaches the same JSFViewState.decode/ObjectInputStream.readObject sink through the ViewState add-on request-panel factory on vulnerable versions. The fixed commit blocks this alternate trigger by removing the shared JSF registration, so no fixed-version bypass was found.",
  "relation": "newer_version_sibling",
  "origin_kind": "pruva_variant",
  "repository": "https://github.com/zaproxy/zap-extensions",
  "submitted_target": {
    "target_kind": "git_commit_parent_of_fix",
    "commit_sha": "7e686c0900e82bb73b57880c0328d012269f8741",
    "version": "viewstate_before_4",
    "ref": "ac6c3f94d38505bc0facea286a4d3728044c6e5c^",
    "display": "ZAP ViewState add-on before version 4; vulnerable fixed-parent commit 7e686c0900e82bb73b57880c0328d012269f8741"
  },
  "variant_target": {
    "target_kind": "git_commit_fixed_negative_control",
    "commit_sha": "ac6c3f94d38505bc0facea286a4d3728044c6e5c",
    "version": "viewstate_v4",
    "ref": "ac6c3f94d38505bc0facea286a4d3728044c6e5c",
    "display": "ZAP ViewState add-on version 4 fix commit; alternate request-panel trigger tested and blocked"
  },
  "same_root_cause_confidence": 0.96,
  "same_surface_confidence": 0.72,
  "claimed_surface": "Malicious proxied HTTP response body containing javax.faces.ViewState triggers JSF ViewState deserialization in the ZAP ViewState add-on response panel.",
  "validated_surface": "Proxied HTTP request body containing form parameter javax.faces.ViewState triggers JSF ViewState deserialization in the ZAP ViewState add-on request panel on the vulnerable commit, but not on the fixed commit.",
  "required_entrypoint_kind": "proxied_http_request_body",
  "required_entrypoint_detail": "application/x-www-form-urlencoded request body parameter javax.faces.ViewState=<Base64 Java serialized object>, processed by ExtensionHttpPanelViewStateView$RequestSplitBodyViewStateViewFactory",
  "attacker_controlled_input": "The javax.faces.ViewState request parameter value. In a real deployment this could be produced by a malicious site causing a browser/user workflow through ZAP to send a crafted JSF form request.",
  "trigger_path": [
    "ExtensionHttpPanelViewStateView$RequestSplitBodyViewStateViewFactory.getNewView",
    "HttpPanelViewStateView",
    "DefaultHttpPanelViewModel.setMessage(HttpMessage)",
    "HttpPanelViewStateView.dataChanged",
    "ViewStateModel.getData",
    "ViewStateModel.getViewStateParam (VS_ACTION_REQUEST)",
    "JSFViewState.decode",
    "ObjectInputStream.readObject"
  ],
  "observed_impact_class": "code_execution_on_vulnerable_version_only",
  "exploitability_confidence": 0.78,
  "evidence_scope": "runtime_positive_on_vulnerable_commit_and_runtime_negative_on_fixed_commit; latest_cached_source_inspected",
  "runtime_manifest_present": true,
  "end_to_end_target_reached": true,
  "inferred": false,
  "claim_block_reason": "not_a_fixed_version_bypass",
  "blocking_mitigation": "Fixed commit ac6c3f94d38505bc0facea286a4d3728044c6e5c comments out the only javax.faces.ViewState registration in ViewStateModel, leaving request and response panel models with only ASP ViewState registrations.",
  "file_path": "addOns/viewstate/src/main/java/org/zaproxy/zap/extension/viewstate/ViewStateModel.java",
  "line_start": 56,
  "line_end": 96,
  "secondary_anchors": [
    {
      "file_path": "addOns/viewstate/src/main/java/org/zaproxy/zap/extension/viewstate/ExtensionHttpPanelViewStateView.java",
      "line_start": 92,
      "line_end": 129
    },
    {
      "file_path": "addOns/viewstate/src/main/java/org/zaproxy/zap/extension/viewstate/zap/utils/JSFViewState.java",
      "line_start": 76,
      "line_end": 92
    },
    {
      "file_path": "addOns/viewstate/src/main/java/org/zaproxy/zap/extension/viewstate/HttpPanelViewStateView.java",
      "line_start": 184,
      "line_end": 190
    }
  ],
  "review_scope_paths": [
    "addOns/viewstate/src/main/java/org/zaproxy/zap/extension/viewstate/ViewStateModel.java",
    "addOns/viewstate/src/main/java/org/zaproxy/zap/extension/viewstate/ExtensionHttpPanelViewStateView.java",
    "addOns/viewstate/src/main/java/org/zaproxy/zap/extension/viewstate/HttpPanelViewStateView.java",
    "addOns/viewstate/src/main/java/org/zaproxy/zap/extension/viewstate/zap/utils/JSFViewState.java",
    "addOns/viewstate/CHANGELOG.md",
    "addOns/viewstate/viewstate.gradle.kts"
  ],
  "artifact_refs": {
    "variant_manifest": "bundle/vuln_variant/variant_manifest.json",
    "validation_verdict": "bundle/vuln_variant/validation_verdict.json",
    "runtime_manifest": "bundle/vuln_variant/runtime_manifest.json",
    "repro_log": "bundle/logs/vuln_variant_reproduction_steps.log",
    "root_cause_equivalence": "bundle/vuln_variant/root_cause_equivalence.json",
    "reproducer": [
      "bundle/vuln_variant/reproduction_steps.sh"
    ]
  }
}
