#0x56

Subdomain takeover candidate at admin.verify.jup.ag — dangling Vercel CNAME (DEPLOYMENT_NOT_FOUND)

@brudasubmitted a report toJupiterMay 14, 2026 at 12:14

Severity	MEDIUM
CVSS	6.1`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N`
Vulnerability Type	Security Misconfiguration
Asset	*.jup.ag - Jupiter Domain
Endpoint	`https://admin.verify.jup.ag/`

Description

admin.verify.jup.ag is delegated to Vercel via a CNAME record:

admin.verify.jup.ag. 300 IN CNAME 02d42fc3ebc95e8c.vercel-dns-013.com.

The target deployment 02d42fc3ebc95e8c.vercel-dns-013.com is no longer claimed. HTTPS requests to admin.verify.jup.ag are served by Vercel's fallback handler, which returns:

HTTP/2 404
server: Vercel
x-vercel-error: DEPLOYMENT_NOT_FOUND
content-type: text/plain; charset=utf-8

The deployment could not be found on Vercel.
DEPLOYMENT_NOT_FOUND

This is the textbook Vercel "DEPLOYMENT_NOT_FOUND" signature of an unclaimed-but-pointed-at subdomain. Vercel's own documentation calls out this state as one where the subdomain "can be associated with another Vercel project". Combined with the fact that no _vercel.admin.verify.jup.ag TXT verification record is set, another organization adding admin.verify.jup.ag as a custom domain on a Vercel project they control will succeed.

If an attacker successfully claims it, they receive:

A valid TLS certificate automatically issued for admin.verify.jup.ag by Vercel (no need to control DNS).
Full ability to serve any HTML / JavaScript under https://admin.verify.jup.ag/ that browsers treat as a Jupiter-owned origin.
Cookie-setting / cookie-reading path against any cookie scoped to Domain=.jup.ag.
A *.jup.ag origin that the wildcard-CORS-with-credentials hosts (datapi / token-verify-api / fe-api / etc.) will trust as an "internal Jupiter" caller — turning the takeover into a credentialed pivot against authenticated user sessions on those production APIs.

The host name itself ("admin.verify") is exceptionally useful for credibility-based phishing of Jupiter users, because Jupiter already operates the related real subdomains verify.jup.ag, token-verify-api.jup.ag, and verified.jup.ag.

I am NOT attempting the takeover itself in this report — Bugcrowd / Jupiter program rules do not authorize a researcher to actually claim an in-scope asset. The submission is the dangling-DNS condition + the Vercel "DEPLOYMENT_NOT_FOUND" signature + the absent _vercel TXT verification record, all of which are verifiable read-only.

Fix: Remove the CNAME for admin.verify.jup.ag from Cloudflare DNS until a real Vercel project is re-attached, OR re-claim the subdomain by adding admin.verify.jup.ag as a domain on the original Vercel project. Going forward, audit the *.jup.ag zone for any other CNAMEs pointing to Vercel / Netlify / Heroku / GitHub Pages / AWS targets that no longer resolve to a claimed deployment.

Steps to Reproduce

PoC 1 — Confirm DNS state from three independent resolvers:

$ dig +short admin.verify.jup.ag CNAME @8.8.8.8
02d42fc3ebc95e8c.vercel-dns-013.com.

$ dig +short admin.verify.jup.ag CNAME @1.1.1.1
02d42fc3ebc95e8c.vercel-dns-013.com.

$ dig +short admin.verify.jup.ag CNAME @8.8.4.4
02d42fc3ebc95e8c.vercel-dns-013.com.

PoC 2 — HTTPS response shows the unclaimed-deployment signature:

$ curl -i https://admin.verify.jup.ag/

HTTP/2 404
cache-control: public, max-age=0, must-revalidate
content-type: text/plain; charset=utf-8
server: Vercel
strict-transport-security: max-age=63072000
x-vercel-error: DEPLOYMENT_NOT_FOUND
x-vercel-id: pdx1::x7ntg-1778759132857-ed14db71d39a
content-length: 107

The deployment could not be found on Vercel.

DEPLOYMENT_NOT_FOUND

PoC 3 — TLS terminates on Vercel (confirming a takeover would also receive a fresh, valid cert):

$ curl -kv https://admin.verify.jup.ag/ 2>&1 | grep -iE "subject|issuer|server"
subject: CN=*.vercel-dns-013.com
issuer: Let's Encrypt
server: Vercel

PoC 4 — No common admin/API paths exist (confirms the deployment is empty, not "just protected"):

$ for p in /login /api /dashboard /_next/data /api/auth /api/admin /api/health /health; do
echo "$p -> $(curl -sk -o /dev/null -w '%{http_code}' https://admin.verify.jup.ag$p)"
done

/login -> 404
/api -> 404
/dashboard -> 404
/_next/data -> 404
/api/auth -> 404
/api/admin -> 404
/api/health -> 404
/health -> 404

PoC 5 — No _vercel TXT verification record (this is what blocks an attacker from claiming a CNAME-pointed Vercel subdomain — its absence is what makes this a real takeover candidate, not benign config drift):

$ dig +short TXT _vercel.admin.verify.jup.ag @8.8.8.8
(empty)

$ dig +short TXT _vercel.admin.verify.jup.ag @1.1.1.1
(empty)

Impact

admin.verify.jup.ag returns Vercel's DEPLOYMENT_NOT_FOUND signature, indicating an unclaimed Vercel deployment slot.
- With no _vercel. TXT verification record set, an attacker can attempt to claim the subdomain on their own Vercel project, automatically receive a Let's-Encrypt-issued TLS certificate for it, and serve arbitrary content under a Jupiter-owned origin.
- The "admin.verify" name has exceptional phishing credibility against Jupiter users because related real subdomains (verify.jup.ag, token-verify-api.jup.ag, verified.jup.ag) exist as part of the product surface.
- Combined with the wildcard-CORS-with-credentials finding on datapi / fe-api / ultra-api / etc., a successful takeover gives the attacker a *.jup.ag origin that those production APIs already trust as a same-origin caller, turning this into a credentialed cross-origin attack vector against authenticated jup.ag users.
- Fix is one DNS record removal.

References (1)

https://github.com/EdOverflow/can-i-take-over-xyz

Activity

@thibaultchanged the status toNeeds More Info

May 14

@brudachanged the status toNew

May 14

@thibaultclosed the report asInformative

May 14

@raccoonsdisclosed this reportPublic Disclosure

May 22

Properties

Status

INFORMATIVE

Severity

MEDIUM

Reporter

@bruda

Program

Jupiter

admin.verify.jup.ag is delegated to Vercel via a CNAME record:

admin.verify.jup.ag. 300 IN CNAME 02d42fc3ebc95e8c.vercel-dns-013.com.

The target deployment 02d42fc3ebc95e8c.vercel-dns-013.com is no longer claimed. HTTPS requests to admin.verify.jup.ag are served by Vercel's fallback handler, which returns:

HTTP/2 404
server: Vercel
x-vercel-error: DEPLOYMENT_NOT_FOUND
content-type: text/plain; charset=utf-8

The deployment could not be found on Vercel.
DEPLOYMENT_NOT_FOUND

If an attacker successfully claims it, they receive:

A valid TLS certificate automatically issued for admin.verify.jup.ag by Vercel (no need to control DNS).
Full ability to serve any HTML / JavaScript under https://admin.verify.jup.ag/ that browsers treat as a Jupiter-owned origin.
Cookie-setting / cookie-reading path against any cookie scoped to Domain=.jup.ag.
A *.jup.ag origin that the wildcard-CORS-with-credentials hosts (datapi / token-verify-api / fe-api / etc.) will trust as an "internal Jupiter" caller — turning the takeover into a credentialed pivot against authenticated user sessions on those production APIs.