{
  "variant_outcome": "confirmed",
  "is_bypass": true,
  "vulnerable_version_exploited": true,
  "fixed_version_exploited": true,
  "validated_surface": "api_remote_to_sftp_filesystem",
  "evidence_scope": "production_path",
  "claimed_impact_class": "path_traversal_arbitrary_file_write",
  "observed_impact_class": "path_traversal_arbitrary_file_write",
  "exploitability_confidence": "high",
  "attacker_controlled_input": "GCS object name 'subdir/link/symlink_escape_1.txt' returned by bucket listing; no '..' segment is needed. The SFTP destination tree contains a symlink named subdir/link pointing outside destination_path.",
  "trigger_path": "GCSToSFTPOperator.execute() -> GCSHook.list/download -> _resolve_destination_path lexical normpath containment -> SFTPHook.store_file -> SFTP server resolves symlink outside destination_path",
  "end_to_end_target_reached": true,
  "distinct_from_parent": "yes: does not use '..' object names and bypasses the fixed 22.2.1 lexical containment check via symlink resolution at the sink",
  "blocking_mitigation": null,
  "inferred": false,
  "artifact_refs": {
    "repro_log": "logs/vuln_variant_reproduction_steps.log",
    "vulnerable_attempt": "logs/vuln_variant_attempt_22.1.0_1.json",
    "fixed_attempt": "logs/vuln_variant_attempt_22.2.1_1.json",
    "source_identity": "vuln_variant/source_identity.json",
    "runtime_manifest": "vuln_variant/runtime_manifest.json"
  }
}