Summary by National Aeronautics and Space Administration (NASA) - Vulnerability Disclosure Program
images.nasa.gov is working as intended
Vulnerability Report – Server-Side Request Forgery (SSRF)
Disclosed by Theekshana_kusal- Engagement National Aeronautics and Space Administration (NASA) - Vulnerability Disclosure Program
- Disclosed date 5 months ago
- Priority P5 Bugcrowd's VRT priority rating
- Status Informational This vulnerability is seen as an accepted business risk
Summary by Theekshana_kusal
A Server-Side Request Forgery (SSRF) issue was identified in the NASA Image and Video Library (images.nasa.gov).
The vulnerability allowed remote attackers to manipulate a URL parameter and make the server initiate outbound HTTP requests to arbitrary domains.
Using a controlled payload, I confirmed the server successfully fetched content from an external domain, demonstrating SSRF behavior. No sensitive internal access was tested, in compliance with NASA’s Vulnerability Disclosure Policy.
NASA triaged the finding as Informational, acknowledging the report but assessing limited risk due to internal mitigations and controlled network access.
This report helps highlight the importance of validating and allow-listing outbound requests in web applications that process user-supplied URLs.