Assalamualaikum(Peace be upon you) everyone! After maybe more than a year, I'm writing again. It's been quite a busy year for me & I couldn't spend much time hunting or writing anything. But here I am again, sharing the story about my first ever RCE and it's much more special for me since it was in one of the NASA subdomains. I can tell, hacking NASA is everyone's childhood dream right? So as mine. And finally I did it lol! So let's get right into it!

As I said earlier it was a quite busy year for me & was handling a lot of stuffs at once. So I became a bit irregular on bug bounty hunting. One day while I was coming home after my classes, a notification popped on my phone regarding the latest React2Shell vulnerability(CVE-2025–55182) but sadly throughout the traffic jam and all the other stuff I almost forgot about that when I reached home 😅️ After about 2–3 days in a discussion with Md. Fazle Rabbi I remembered it again as he was showing me one of his findings of the CVE 😑️

Quickly I started to look for the demonstration of the vulnerability and tried to figure out what could be "a lead" which would help me to select the potential targets to test upon. At this point you could say "Man! just run nuclei template or use the exploit available on github". Yes I could, but think about it. If you're running nuclei template or the specific exploit script against all the host targets, you're just wasting time testing the targets that aren't even built using NextJS or ReactJS. Makes sense?

So now what keypoints do we have that can help us to separate the potential targets that are vulnerable to React2Shell?

  • The target must be running on NextJS / ReactJS

So I listed out the targets based on this. But realized not all the targets using React or Next is not actually vulnerable. The vulnerability is specifically tied to the implementation of React Server Components (RSC) and the "Flight" protocol used for data serialization. I'm not gonna go deep into that for now. So I figured out that most of the targets using RSC contains an http header like this "Vary: rsc, next-router-state-tree, next-router-prefetch, next-router-segment-prefetch, Accept-Encoding"

Now what keypoint do we have?

  • targets having the "vary: rsc" header in its HTTP response

See, now we have a better & much more accurate keypoint to gather hosts that are more likely to be vulnerable. Right? Time to move forward!

So I went to https://hunter.how/ you might be thinking "why not Shodan?". Shodan dorks were not giving good results when targeting a specific organization for some reason. So in hunter.how I used this dork header="vary: rsc"

None
hunter.how dork image

And started targeting specific orgs. NASA was one of them. So when I searched this header="vary: rsc"&&domain="nasa.gov" This is what I got:

None

Then I immediately tested the site with nuclei but didn't get anything good 🙂️ According to my gained experience by testing some other sites for this vuln and getting no result with nuclei or the PoC script I captured it into burpsuite to test it manually and made the following request

None

And the response was All the contents inside /etc/passwd as expected !!!😍️

None

I was literally surprised at that moment that I just went completely frozen for a while. I literally found a critical vuln on NASA & it's an RCE!!!! This is the first time ever I found an RCE on a live bug bounty target. I was so happy & happiness got multiplied because of the target being NASA!!! My childhood dream of executing commands on NASA server haha!! I was on a sudden adrenaline rush thinking about further exploration in the system but then I remembered it's a federal server 😅️ So without further commands I quickly reported it to NASA on Bugcrowd hoping for the NASA LOR(Letter Of Recognition) But my happiness didn't last very long. Within a few hours they marked it as duplicate! 🥲️

But I didn't lose hope & continued testing more and more targets. Md. Fazle Rabbi and I discovered this issue in some other well-known orgs but didn't get any luck in there too! We were late! 🥲️

Anyways the vuln in NASA is now resolved & I hope you liked this story! Instead of just telling you where and how I tested for this vuln I tried to explain my thought process & strategy from learning about the CVE to actually finding it. Hope this was interesting and helpful! Pray for me & everyone else, stay updated, stay sharp & don't be late like me 😅️ Till my next writeup, Allah hafiz (May Allah protect you)!!! BYE!!!