{
  "verdict": "confirmed_bypass",
  "variant_type": "bypass",
  "summary": "The 0.7.5 fix's _maxLength guard in case 1 only prevents oversized length headers. A binary frame with a valid length (within _maxLength) triggers the same message corruption via two unfixed bugs: (A) _buffer not reset in _parseLeadingByte for binary frames, and (B) 0xFF treated as frame terminator in skip mode. Confirmed on websocket-driver@0.7.5 (fixed version).",
  "tested_versions": {
    "vulnerable": "0.7.4",
    "fixed": "0.7.5"
  },
  "vulnerable_result": {
    "sentinel_delivered": false,
    "corrupted_message_after_malicious": true,
    "close_after_malicious": false,
    "readyState_final": 1,
    "positive_count": 2
  },
  "fixed_result": {
    "sentinel_delivered": false,
    "corrupted_message_after_malicious": true,
    "close_after_malicious": false,
    "readyState_final": 1,
    "positive_count": 2
  },
  "bypass_confirmed": true,
  "bypass_explanation": "On the fixed 0.7.5 build, the variant binary frame header (0x80 0x1E, length=30) passes the _maxLength guard (30 <= 67108863). The parser enters skip mode with a stale _buffer from the prior text frame. The sentinel text frame's bytes are consumed as skip data, and its 0xFF terminator triggers stale buffer emission. The sentinel is lost; a stale duplicate message is emitted; the connection stays open. This is identical to the original CVE impact.",
  "fix_coverage_gaps": [
    "_parseLeadingByte does not reset _buffer when entering binary frame mode (high bit set)",
    "Stage 2's if (octet === 0xFF) check fires before the skip-mode branch, treating 0xFF as a frame terminator even in skip mode"
  ],
  "exit_code": 0,
  "evidence_files": [
    "bundle/logs/variant_oracle_eval.txt",
    "bundle/logs/vuln_variant_result.json",
    "bundle/logs/fixed_variant_result.json",
    "bundle/logs/vuln_variant_run.log",
    "bundle/logs/fixed_variant_run.log",
    "bundle/logs/variant_repro.log"
  ]
}
