BugCrowd Bug Bounty Disclosure: P3 – Publicly Accessible .env File Exposing Hardcoded Credentials on NASA’s Git Repository – _x3ro_

August 21, 2025
Publicly Accessible .env File Exposing Hardcoded Credentials on NASA’s Git Repository

Publicly Accessible .env File Exposing Hardcoded Credentials on NASA’s Git Repository

Researcher: _x3ro_
Engagement: National Aeronautics and Space Administration (NASA) – Vulnerability Disclosure Program
Disclosed at: 2025-08-20T15:18:45Z
Priority: P3
Status: Resolved

Summary

A publicly accessible .env file on NASA’s Bitbucket server exposed plaintext credentials used in a live UAT environment. These credentials were actively consumed by a script to authenticate with NASA’s SIT token service (cmr.sit.earthdata.nasa.gov). This exposure could have allowed unauthorized access, data extraction, or API abuse if exploited.

Activity Feed

Actor Details Timestamp (UTC)
Ron_Rose Ron_Rose sent a: message 2025-08-20T15:29:23Z
Martin_NASA Martin_NASA published 2025-08-20T15:18:45Z
_x3ro_ _x3ro_ requested 2025-08-16T15:37:20Z
Mason357_Bugcrowd Mason357_Bugcrowd changed the state to to resolved 2025-08-13T17:50:47Z
Martin_NASA Martin_NASA changed the state to to unresolved 2025-08-11T15:11:57Z
viper-bugcrowd viper-bugcrowd sent a: message 2025-08-11T14:39:42Z
viper-bugcrowd viper-bugcrowd changed the state to to triaged 2025-08-11T14:38:08Z
Ron_Rose Ron_Rose resolved a blocker for 2025-08-08T18:48:00Z
Mason357_Bugcrowd Mason357_Bugcrowd sent a: message 2025-07-24T17:13:42Z
Mason357_Bugcrowd Mason357_Bugcrowd created a blocker on 2025-07-24T17:13:36Z
_x3ro_ _x3ro_ created the submission 2025-07-24T13:03:49Z

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

Buy Me A Coffee
Patreon

To keep up to date follow us on the below channels.

Tags: , ,

You may have missed

image

CVE Alert: CVE-2025-9561 – hovanesvn – AP Background

October 3, 2025
image

CVE Alert: CVE-2025-9212 – ekndev – WP Dispatcher

October 3, 2025
image

CVE Alert: CVE-2025-9213 – textbuilder – TextBuilder

October 3, 2025
image

CVE Alert: CVE-2025-11234 – Red Hat – Red Hat Enterprise Linux 10

October 3, 2025
image

CVE Alert: CVE-2025-9200 – nebelhorn – Blappsta Mobile App Plugin – Your native, mobile iPhone App and Android App

October 3, 2025