Critical Revision Tampering Vulnerability in ObjectStorageDurableStateStore Enables Concurrency Control Bypass

A critical security flaw in the ObjectStorageDurableStateStore implementation allows revision tampering via JSON-body manipulation, effectively bypassing optimistic-concurrency controls for any deployment relying on this state management mechanism.

The vulnerability stems from the `load()` function in `ObjectStorageDurableStateStore.ts` (lines 75–98), which parses the `revision` field directly from the JSON body and trusts it for both return values and the etagCache. Because the `upsert()` function (lines 100–185) uses this cached revision for its compare-and-swap check, a tampered body revision can bypass the entire concurrency protection layer. The `BodyCodec.ts` wire format, which wraps AES-GCM authentication tags, does not provide protection in affected deployments.

The threat model requires write access to the object-storage backend rather than TCP-level cluster access. Attack vectors include a shared S3 bucket with overly permissive IAM policies, co-tenancy on a filesystem-backed store, insider access, or a compromised CI pipeline pushing directly to the storage bucket. Deployments without client-side encryption enabled are fully exposed to write and read corruption paths.

The flaw carries significant implications for systems using DurableState as a consistency mechanism. State integrity guarantees collapse when revision numbers can be arbitrarily manipulated at the storage layer, potentially leading to data corruption, unauthorized overwrites, and inconsistent application state across distributed deployments. Organizations should audit their object storage permissions immediately, enforce least-privilege IAM configurations, and prioritize enabling client-side encryption as a compensating control while a patch is developed.