How matchers work whose part area lacking suffix in multiple requests scenario, such as CVE-2021-28169

[zhangyuchaoxjtu]

'''yaml
method: GET
path:
- "{{BaseURL}}/static?/%2557EB-INF/web.xml"
- "{{BaseURL}}/concat?/%2557EB-INF/web.xml"

matchers-condition: and
matchers:
  - type: word
    part: header
    words:
      - "application/xml"

  - type: word
    part: body
    words:
      - "</web-app>"
      - "java.sun.com"
    condition: and

  - type: status
    status:
      - 200

'''

For example above CVE-2021-28169，this template will send two requests with different paths, one of paths is '{{BaseURL}}/static?/%2557EB-INF/web.xml', meanwhile another is '{{BaseURL}}/concat?/%2557EB-INF/web.xml'. But matchers are only 1 group with 'and' condition, and in these three matchers no suffix added in part area. I wonder how matchers work in this template. I have two ways of understanding:
#1
Nuclei engine will send these two requests separately and match the response separately.

If response_1 satisfies all three matching conditions simultaneously, or response_2 satisfies all three conditions simultaneously, it will indicate the existence of this vulnerability only under the above two conditions.

#2
Nuclei engine will send these two requests separately and match the response globally.

If response_1 only satisfies one of the three matching conditions, while response_2 satisfies the remaining two matching conditions, it will indicate that this vulnerability also exists.

I would like to know which of the two ways of understanding mentioned above is correct.
Thanks a lot.

[alishanawer]

In Nuclei, matchers are always applied per-request, not globally across multiple requests.

That means your understanding #1 is correct

• The engine will send both requests (/static?... and /concat?...).
• Each response is evaluated independently against the matcher group.
• For a template to succeed, one single response must satisfy all matchers under the and condition (status = 200, header includes application/xml, and body includes both </web-app> and java.sun.com).
• If request Add dir-listing.yaml #1 meets all conditions → template matches.
• If request CVE-2018-3760 Rails #2 meets all conditions → template matches.
• If request Add dir-listing.yaml #1 and CVE-2018-3760 Rails #2 “split” the matchers (one has the header, the other has the body, etc.), the template will not match.

So matchers are not aggregated across multiple requests — they’re evaluated per-response. If you need “cross-request correlation” behavior, you’d have to use extractors + dsl to carry values forward and then assert conditions explicitly.

[zhangyuchaoxjtu]

I got it! Thank you @alishanawer