{
  "variant_id": "CVE-2026-49844-vulnvariant-mapmessage-alternate-datapaths",
  "created_at": "2026-07-13T00:00:00Z",
  "variant_summary": "Variant/bypass analysis of CVE-2026-49844 (MapMessageJsonFormatter non-finite JSON encoding). Tested every alternate data-path dispatcher branch (nested Map, List, Object[], non-List Collection, custom Number via formatNumber else-branch, BigInteger overflow-to-Infinity, StringBuilderFormattable control) into the same sink. Alternate triggers reproduce on vulnerable 2.25.4/2.26.0 (17 bare tokens each), but the PR #4163 fix quotes ALL alternate paths on fixed 2.25.5/2.26.1 (0 bare tokens). No bypass found; the fix is complete because it gates the sink rather than individual entry paths.",
  "relation": "newer_version_sibling",
  "origin_kind": "pruva_variant",
  "repository": "https://github.com/apache/logging-log4j2",
  "submitted_target": {
    "target_kind": "maven_artifact",
    "commit_sha": "0628e53b25a33e496b509c40a39f2d7c64f2aa6c",
    "version": "2.25.4",
    "ref": "rel/2.25.4",
    "display": "log4j-api 2.25.4 (rel/2.25.4) — vulnerable parent target"
  },
  "variant_target": {
    "target_kind": "maven_artifact",
    "commit_sha": "dd0f9d255e24e6bcc13bd2641407a409c0524803",
    "version": "2.26.1",
    "ref": "rel/2.26.1",
    "display": "log4j-api 2.26.1 (rel/2.26.1) — highest tested fixed version (bypass test target); also tested 2.25.5"
  },
  "same_root_cause_confidence": "high",
  "same_surface_confidence": "high",
  "claimed_surface": "library_api",
  "validated_surface": "library_api",
  "required_entrypoint_kind": "function_call",
  "required_entrypoint_detail": "MapMessage.getFormattedMessage([\"JSON\"]) / MapMessage.asJson(StringBuilder) / MapMessage.asString(\"JSON\") with non-finite floating-point values placed in the map as: nested java.util.Map, List, Object[], non-List Collection, custom Number subclass, BigInteger (overflow), or StringBuilderFormattable",
  "attacker_controlled_input": "non-finite floating-point values (NaN, Infinity, -Infinity) carried inside nested containers or custom Number subclasses placed in a logged MapMessage, serialized via getFormattedMessage([\"JSON\"]) or asJson()",
  "trigger_path": "MapMessage.getFormattedMessage([\"JSON\"]) -> MapMessage.format(JSON) -> MapMessage.asJson(sb) -> MapMessageJsonFormatter.format(sb, data, depth) -> {formatMap|formatList|formatCollection|formatObjectArray|formatNumber} -> formatNumber (incl. else-branch) / formatDoubleArray / formatFloatArray -> [vulnerable: sb.append(doubleNumber) emits bare NaN/Infinity; fixed: formatDouble/formatFloat gates via isFinite -> formatString quotes]",
  "observed_impact_class": "other",
  "exploitability_confidence": "high",
  "evidence_scope": "production_path",
  "runtime_manifest_present": true,
  "end_to_end_target_reached": true,
  "inferred": false,
  "claim_block_reason": null,
  "blocking_mitigation": "PR #4163 fix (formatDouble/formatFloat isFinite gating) covers all Number-bearing dispatcher branches in MapMessageJsonFormatter. Verified empirically: fixed 2.25.5 and 2.26.1 emit 0 bare non-finite tokens across all 18 alternate-path cases (0 strict-JSON parse failures). No bypass.",
  "file_path": "log4j-api/src/main/java/org/apache/logging/log4j/message/MapMessageJsonFormatter.java",
  "line_start": 233,
  "line_end": 392,
  "secondary_anchors": [
    {
      "file_path": "log4j-api/src/main/java/org/apache/logging/log4j/message/MapMessage.java",
      "line_start": 423,
      "line_end": 424
    },
    {
      "file_path": "log4j-api/src/main/java/org/apache/logging/log4j/message/MapMessageJsonFormatter.java",
      "line_start": 79,
      "line_end": 160
    }
  ],
  "review_scope_paths": [
    "log4j-api/src/main/java/org/apache/logging/log4j/message/MapMessageJsonFormatter.java",
    "log4j-api/src/main/java/org/apache/logging/log4j/message/MapMessage.java",
    "log4j-layout-template-json/src/main/java/org/apache/logging/log4j/layout/template/json/util/JsonWriter.java",
    "log4j-layout-template-json/src/main/java/org/apache/logging/log4j/layout/template/json/resolver/MessageResolver.java"
  ],
  "artifact_refs": {
    "variant_manifest": "vuln_variant/variant_manifest.json",
    "validation_verdict": "vuln_variant/validation_verdict.json",
    "runtime_manifest": "vuln_variant/runtime_manifest.json",
    "repro_log": "logs/vuln_variant/variant_2.26.1.log",
    "root_cause_equivalence": "vuln_variant/root_cause_equivalence.json",
    "reproducer": [
      "vuln_variant/reproduction_steps.sh",
      "vuln_variant/VariantTest.java"
    ]
  }
}
