Summary by National Aeronautics and Space Administration (NASA) - Vulnerability Disclosure Program
Being able to see the admin panel alone does not demonstrate any security impact.
“WAF Bypass via URL Path Normalization on https://science.nasa.gov/climate-change/multimedia/wp-login.php?action=logout”
Disclosed by Ninadgowda- Engagement National Aeronautics and Space Administration (NASA) - Vulnerability Disclosure Program
- Disclosed date 4 months ago
- Priority P5 Bugcrowd's VRT priority rating
- Status Informational This vulnerability is seen as an accepted business risk
Summary by Ninadgowda
I discovered an informational WAF bypass related to URL path normalization on https://science.nasa.gov/climate-change/multimedia/wp-login.php?action=logout. The WAF returned a 403 for the canonical URL but treated a path-normalized variant differently, allowing the request through (200) and demonstrating inconsistent filtering for path-normalization variants. This is a reproducible, informational finding and was submitted to the NASA VDP (Closed on 23 Oct 2025).