Skip to content
Verified reproduction

CVE-2026-57527: ZAP ViewState add-on insecure deserialization RCE

CVE-2026-57527 is verified against zaproxy/zap-extensions · github affected versions: ViewState add-on versions 1, 2, and 3 (before version 4) fixed version: ViewState add-on version 4 vulnerability class: RCE This high reproduction includes runnable sandbox proof, artifacts, and a plain-text agent view under REPRO-2026-00249.

REPRO-2026-00249 zaproxy/zap-extensions · github RCE Variant found Jul 6, 2026 .txt
Severity HIGH
Confidence HIGH
Reproduced in 26m 16s
Tool calls 263
Spend $7.43
Affected ViewState add-on versions 1, 2, and 3 (before version 4)
Fixed in ViewState add-on version 4
$ pruva-verify REPRO-2026-00249
or curl -O https://pruva.dev/api/v1/reproductions/REPRO-2026-00249/artifacts/bundle/repro/reproduction_steps.sh && chmod +x reproduction_steps.sh && ./reproduction_steps.sh
Run in a VM or disposable container. This exploits a real vulnerability.
02 · The vulnerability

Zed Attack Proxy (ZAP) ViewState add-on before version 4 contains an insecure deserialization vulnerability. An attacker who controls a proxied web server can embed a malicious serialized Java object in a ViewState response; when ZAP's ViewState add-on parses it, arbitrary code execution occurs. Reproduce: install ZAP with the ViewState add-on <4, run ZAP as a proxy, and browse a malicious page that returns a crafted ViewState payload. The add-on deserializes the payload and executes code.

03 · Root cause
Variant analysis
04 · Reproduction transcript

The agent's step-by-step process — every tool call, every handoff, the moment the exploit fired. Phases: support triages the advisory · repro reproduces it · vuln_variant confirms the fix blocks it · judge verifies.

Loading session...

05 · Artifacts

Scripts, logs, diffs, and output captured during the reproduction.

bundle/artifact_promotion_manifest.json16.3 KB
bundle/vuln_variant/source_identity.json1.8 KB
bundle/vuln_variant/root_cause_equivalence.json1.7 KB
bundle/repro/reproduction_steps.sh26.6 KB
bundle/repro/artifacts/marker_vuln.txt0.3 KB
bundle/repro/artifacts/rce_output.txt0.1 KB
bundle/repro/artifacts/fix.patch3.0 KB
bundle/repro/runtime_manifest.json1.5 KB
bundle/repro/validation_verdict.json0.8 KB
bundle/repro/rca_report.md11.2 KB
bundle/logs/vuln_harness_1.log3.9 KB
bundle/logs/reproduction_steps.log17.8 KB
bundle/repro/artifacts/vuln_marker_1.txt2.4 KB
bundle/repro/artifacts/source_identity.txt0.6 KB
bundle/logs/build_vuln.log3.2 KB
bundle/logs/build_fixed.log3.2 KB
bundle/logs/vuln_harness_2.log3.9 KB
bundle/logs/fixed_harness_1.log1.3 KB
bundle/logs/fixed_harness_2.log1.3 KB
bundle/logs/server_vuln_1.log0.2 KB
bundle/logs/server_vuln_2.log0.2 KB
bundle/logs/server_fixed_1.log0.2 KB
bundle/logs/server_fixed_2.log0.2 KB
bundle/repro/artifacts/product_path_harness.java6.9 KB
bundle/repro/artifacts/payload.b640.4 KB
bundle/repro/artifacts/vuln_marker_2.txt2.4 KB
bundle/repro/artifacts/vuln_rce_output_1.txt0.1 KB
bundle/repro/artifacts/vuln_rce_output_2.txt0.1 KB
bundle/vuln_variant/reproduction_steps.sh20.7 KB
bundle/vuln_variant/rca_report.md11.2 KB
bundle/vuln_variant/patch_analysis.md7.5 KB
bundle/vuln_variant/variant_manifest.json4.9 KB
bundle/vuln_variant/validation_verdict.json3.1 KB
bundle/vuln_variant/runtime_manifest.json1.5 KB
bundle/logs/vuln_variant_reproduction_steps.log10.7 KB
bundle/logs/vuln_variant_request_vuln.log3.9 KB
bundle/logs/vuln_variant_request_fixed.log1.3 KB
bundle/vuln_variant/artifacts/request_vuln_marker.txt2.4 KB
bundle/logs/vuln_variant_build_vuln.log3.2 KB
bundle/logs/vuln_variant_build_fixed.log3.2 KB
bundle/vuln_variant/artifacts/request_variant_harness.java5.8 KB
bundle/vuln_variant/artifacts/request_payload_vuln.b640.4 KB
bundle/vuln_variant/artifacts/request_payload_fixed.b640.4 KB
bundle/vuln_variant/artifacts/request_vuln_rce_output.txt0.1 KB
bundle/vuln_variant/artifacts/source_identity_request_variant.txt0.7 KB