{
  "verdict": "confirmed_distinct_bypass",
  "confirmed": true,
  "bypass": true,
  "variant_summary": "Fixed Apache Camel camel-docling 4.18.3 rejects unknown CamelDoclingCustomArguments, but still passes the separate CamelDoclingOutputFilePath header directly as the docling --output value without path normalization/traversal validation. An HTTP-controlled X-Out value mapped to CamelDoclingOutputFilePath traverses from safe-output to ../escaped-output on fixed 4.18.3 and latest-tested 4.21.0.",
  "tested_versions": [
    {
      "version": "4.18.2",
      "role": "affected_control",
      "release_tag": "camel-4.18.2",
      "commit_sha": "3864c200f46aa055a0714a069c702c433aca7097",
      "custom_args_control_rejected": false,
      "output_header_traversal_marker": true
    },
    {
      "version": "4.18.3",
      "role": "fixed_bypass_target",
      "release_tag": "camel-4.18.3",
      "commit_sha": "6cc2920f7fd0dc642162aca00288f8dc0c9e37de",
      "custom_args_control_rejected": true,
      "output_header_traversal_marker": true
    },
    {
      "version": "4.21.0",
      "role": "latest_tested_bypass_target",
      "release_tag": "camel-4.21.0",
      "commit_sha": "a84c468557bba6d400fb9675351d7efe64ce01b4",
      "custom_args_control_rejected": true,
      "output_header_traversal_marker": true
    }
  ],
  "validated_surface": "api_remote",
  "evidence_scope": "production_camel_path_with_controlled_docling_cli_stub",
  "observed_impact_class": "path_traversal",
  "claimed_parent_impact_class": "argument_injection_path_traversal_and_plugin_mediated_code_execution",
  "impact_parity": "partial",
  "attacker_controlled_input": "HTTP header X-Out with value ../escaped-output, mapped by the route into CamelDoclingOutputFilePath after joining with SAFE_OUTPUT_DIR",
  "trigger_path": "GET /convert with X-Out: ../escaped-output -> camel-jetty -> route sets CamelDoclingOutputFilePath=<safe-output>/../escaped-output -> DoclingProducer.addOutputDirectoryArguments() -> ProcessBuilder argv --output <safe-output>/../escaped-output -> docling writes outside SAFE_OUTPUT_DIR",
  "end_to_end_target_reached": true,
  "exploit_chain_demonstrated": true,
  "crash_observed": false,
  "read_write_primitive_observed": true,
  "sanitizer_used": false,
  "blocking_mitigation": null,
  "notes": "The control request on 4.18.3 and 4.21.0 confirms that the custom-argument allowlist is active. The bypass does not use CamelDoclingCustomArguments; it uses the separate path-bearing CamelDoclingOutputFilePath header path that the fix did not validate.",
  "artifact_refs": {
    "reproducer": "bundle/vuln_variant/reproduction_steps.sh",
    "repro_log": "bundle/logs/vuln_variant/reproduction_steps.log",
    "runtime_manifest": "bundle/vuln_variant/runtime_manifest.json",
    "fixed_docling_invocations": "bundle/logs/vuln_variant/fixed_4.18.3_docling_invocations.log",
    "fixed_marker": "bundle/logs/vuln_variant/fixed_4.18.3_escaped_marker.txt",
    "latest_docling_invocations": "bundle/logs/vuln_variant/latest_4.21.0_docling_invocations.log",
    "latest_marker": "bundle/logs/vuln_variant/latest_4.21.0_escaped_marker.txt",
    "custom_args_control": "bundle/logs/vuln_variant/fixed_4.18.3_custom_args_control_response.txt"
  },
  "inferred": false
}
