{
  "claim_outcome": "not_confirmed_no_bypass",
  "claim_block_reason": null,
  "repro_result": "no_bypass",
  "validated_surface": "library_api",
  "evidence_scope": "production_path",
  "claimed_impact_class": "other",
  "observed_impact_class": "other",
  "exploitability_confidence": "high",
  "attacker_controlled_input": "non-finite floating-point values (NaN, Infinity, -Infinity) carried inside nested containers (Map, List, Object[], non-List Collection) or custom Number subclasses / BigInteger placed in a logged MapMessage, serialized via getFormattedMessage([\"JSON\"]) or asJson()",
  "trigger_path": "MapMessage.getFormattedMessage([\"JSON\"]) -> MapMessage.format(JSON) -> MapMessage.asJson(sb) -> MapMessageJsonFormatter.format(sb, data, depth) -> {formatMap|formatList|formatCollection|formatObjectArray|formatNumber (incl. else-branch)|formatDoubleArray|formatFloatArray} -> fixed: formatDouble/formatFloat isFinite gating -> formatString quotes the value",
  "end_to_end_target_reached": true,
  "sanitizer_used": false,
  "crash_observed": false,
  "read_write_primitive_observed": false,
  "exploit_chain_demonstrated": false,
  "bypass_confirmed": false,
  "alternate_triggers_on_vulnerable": true,
  "variant_outcome": "no_bypass_alternate_triggers_on_vulnerable",
  "tested_versions": {
    "2.25.4": {"ref": "rel/2.25.4", "commit_sha": "0628e53b25a33e496b509c40a39f2d7c64f2aa6c", "status": "VULNERABLE", "bare": 17, "quoted": 1, "parseFail": 17, "fix_present": false},
    "2.25.5": {"ref": "rel/2.25.5", "commit_sha": "2e1d9c6284af1da1dec189f4b5b98ac0f32a7645", "status": "FIXED", "bare": 0, "quoted": 18, "parseFail": 0, "fix_present": true},
    "2.26.0": {"ref": "rel/2.26.0", "commit_sha": "c1ad2a66cc90e643ec319b9e131764c9710bebc5", "status": "VULNERABLE", "bare": 17, "quoted": 1, "parseFail": 17, "fix_present": false},
    "2.26.1": {"ref": "rel/2.26.1", "commit_sha": "dd0f9d255e24e6bcc13bd2641407a409c0524803", "status": "FIXED", "bare": 0, "quoted": 18, "parseFail": 0, "fix_present": true}
  },
  "alternate_paths_tested": [
    "nested java.util.Map value (formatMap -> formatNumber)",
    "java.util.List value (formatList -> formatNumber)",
    "Object[] value (formatObjectArray -> formatNumber)",
    "non-List Collection: Set/ArrayDeque (formatCollection -> formatNumber)",
    "custom Number subclass (formatNumber else-branch)",
    "BigInteger overflow -> Infinity (formatNumber else-branch)",
    "StringBuilderFormattable emitting bare NaN (control: formatFormattable, always quoted)"
  ],
  "blocking_mitigation": "PR #4163 fix gates the SINK (formatNumber/formatDoubleArray/formatFloatArray) via formatDouble/formatFloat isFinite checks rather than individual entry paths. Every Number-bearing dispatcher branch (formatMap, formatList, formatCollection, formatObjectArray, formatNumber incl. else-branch) recurses to that sink, so all alternate data paths inherit the fix. Verified empirically: fixed 2.25.5 and 2.26.1 emit 0 bare non-finite tokens (0 strict-JSON parse failures) across all 18 alternate-path cases. The StringBuilderFormattable path is safe-by-construction (quotes+escapes). No bypass exists within the CVE's sink.",
  "inferred": false
}
