#0x57

Public Swagger / OpenAPI documentation on 5 Jupiter production APIs reveals every internal route, including the 1000-JUP token-verify payment flow

@brudasubmitted a report toJupiterMay 14, 2026 at 12:22

Severity	LOW
CVSS	5.3`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N`
Vulnerability Type	Security Misconfiguration
Asset	*.jup.ag - Jupiter Domain
Endpoint	`https://token-verify-api.jup.ag/docs`

Description

Five Jupiter production APIs serve their Swagger UI (/docs) and OpenAPI 3 JSON spec (/openapi.json) without authentication, disclosing every internal route, parameter, request body, and response schema — including the Token Verification API's full 3-step "1000 JUP" express-payment flow.

Affected hosts:

https://token-verify-api.jup.ag/docs (Swagger UI)
https://token-verify-api.jup.ag/openapi.json (OpenAPI 3 spec)
https://prediction-market-api.jup.ag/docs
https://prediction-market-api.jup.ag/openapi.json
https://content-api.jup.ag/docs
https://content-api.jup.ag/openapi.json
https://lend-api.jup.ag/docs
https://lend-api.jup.ag/swagger
https://mobile-api.jup.ag/openapi.json

All five APIs are in scope (*.jup.ag wildcard, production). Documentation is served unauthenticated; Cloudflare returns content directly with no allowlist. The spec includes:

Every endpoint path the API supports (including internal/admin-flavored ones).
Every input parameter (type, format, constraints, required/optional).
Every response schema (all field names and types, including fields a normal user would not see).
Free-text description fields documenting intended payment, signing, and execution flows.
Server metadata: title, version, environment.

The most security-relevant disclosure is the Token Verification API's express payment flow. /openapi.json documents:

GET /express/check-eligibility?tokenId=
GET /payments/express/craft-txn?senderAddress=
POST /payments/express/execute

…with descriptions explaining that craft-txn returns a base64-encoded unsigned Solana transaction for a 1000 JUP payment to a Jupiter receiver address, plus a requestId, plus fee details, and that /payments/express/execute consumes the signed transaction. The CraftTxnResponse schema explicitly reveals fields receiverAddress, mint (example "JUPyiwrYJFskUPiHa7hkeR8VUtAeFoSYbKedZNsDvCN"), feeMint, requestId, gasless, plus an internal "verificationCreated" boolean.

This is enough for an attacker to:

Enumerate at scale every Solana mint Jupiter considers "verified" or "eligible for premium verification" by hitting check-eligibility without paying any fees or signing anything (a paid feature surfaced for free reconnaissance).
Map the exact 3-step payment ceremony (eligibility → craft-txn → execute) and feed it into automated tooling for fee-bypass / requestId reuse / receiverAddress collision attacks without ever loading the front-end.
Find schema mismatches between the documented contract and the real backend (any such mismatch is a parameter-injection / mass-assignment / type-confusion candidate).
Use the documented "requestId" + "expireAt" fields to look for state-machine bugs between craft-txn (which writes a pending payment) and execute (which consumes it).

Likewise on prediction-market-api.jup.ag, the public spec discloses POST /api/v1/orders, DELETE /api/v1/orders, DELETE /api/v1/orders/close-all, POST /api/v1/positions/{positionPubkey}/claim, the full follow/unfollow social graph at POST /api/v1/follow/{ownerPubkey} + DELETE /api/v1/unfollow/{ownerPubkey}, and /api/v1/leaderboards / /api/v1/profiles/{ownerPubkey}/pnl-history — all of which are immediately probable at scale.

mobile-api.jup.ag's openapi.json discloses the full ASR-claim / campaign-claim / reclaim craft-and-execute flows (/v1/asr/craft-claim, /v1/asr/execute, /v1/campaigns/{slug}/craft, /v1/campaigns/{slug}/execute, /v1/reclaim/craft, /v1/reclaim/execute). The endpoints themselves are bearer-protected, but the route map + parameters + response schemas are not — which is exactly what an attacker would otherwise have to guess.

Root cause is almost certainly Fastify's @fastify/swagger plugin (which exposes /docs + /openapi.json out of the box). One-line fix per service: gate the swagger registration on NODE_ENV !== "production".

Steps to Reproduce

PoC 1 — Token Verification API spec exposes the full 1000-JUP payment flow:

$ curl -s https://token-verify-api.jup.ag/openapi.json | python3 -m json.tool | head -25

{
"openapi": "3.0.3",
"info": {
"title": "Jupiter Token Verification API",
"version": "1.0.0",
"description": "API for express token verification and metadata updates"
},
"paths": {
"/express/check-eligibility": { "get": {...} },
"/payments/express/craft-txn": {
"get": {
"summary": "Craft express verification payment transaction",
"description": "Crafts an unsigned Solana transaction for a 1000 JUP express verification payment. The returned transaction and requestId are used in the execute step."
}
},
"/payments/express/execute": {
"post": {
"summary": "Execute express verification payment",
"description": "Signs and submits the crafted transaction, records payment, creates an express (premium) verification request, and optionally submits token metadata updates."
}
}
}
}

PoC 2 — Confirm host is production:

$ curl -s https://token-verify-api.jup.ag/
{"service":"Token Verification API","status":"healthy","version":"1.0.0","environment":"prod"}

PoC 3 — Prediction-market API discloses every order / position / social-graph endpoint:

$ curl -s https://prediction-market-api.jup.ag/openapi.json | python3 -c "
import json,sys
d=json.load(sys.stdin)
for p,m in d['paths'].items():
for v in m: print(v.upper().ljust(6),p)" | head -25

GET /api/v1/events/tags
GET /api/v1/events/suggested
GET /api/v1/events/suggested/{pubkey}
POST /api/v1/execute
GET /api/v1/orders
POST /api/v1/orders
DELETE /api/v1/orders
POST /api/v1/orders/execute
DELETE /api/v1/orders/close-all
POST /api/v1/positions/{positionPubkey}/claim
POST /api/v1/follow/{ownerPubkey}
DELETE /api/v1/unfollow/{ownerPubkey}
GET /api/v1/leaderboards
GET /api/v1/profiles/{ownerPubkey}/pnl-history

PoC 4 — Content-API ("Jupiter Mission Control") full spec:

$ curl -s https://content-api.jup.ag/openapi.json | python3 -m json.tool | head -12

{
"openapi": "3.0.3",
"info": {
"title": "Jupiter Mission Control API",
"version": "1.0.0"
},
"servers": [
{ "url": "https://content-api.jup.ag", "description": "Production server" }
],
"paths": { "/v1/content": ..., "/v1/content/feed": ..., "/v1/content/cooking": ..., "/v1/content/summaries": ... }
}

PoC 5 — Lend-API exposes /docs and /swagger:

$ curl -s -o /dev/null -w "%{http_code}\n" https://lend-api.jup.ag/docs
200
$ curl -s -o /dev/null -w "%{http_code}\n" https://lend-api.jup.ag/swagger
200

PoC 6 — mobile-api spec lists the full claim/craft/execute reward flow used by ASR + campaigns:

$ curl -s https://mobile-api.jup.ag/openapi.json | python3 -c "
import json,sys
d=json.load(sys.stdin)
for p,m in d['paths'].items():
for v in m: print(v.upper().ljust(6),p)" | head -15

GET /v1/asr/side-menu
GET /v1/asr/claim-view
GET /v1/asr/craft-claim
POST /v1/asr/execute
POST /v1/reclaim/craft
POST /v1/reclaim/execute
GET /v1/campaigns
GET /v1/campaigns/{campaignSlug}/craft
POST /v1/campaigns/{campaignSlug}/execute
GET /v1/portfolio/holdings/{address}
GET /v1/transactions/fetch

PoC 7 — All endpoints summary table (one curl per host):

$ for h in token-verify-api prediction-market-api content-api lend-api mobile-api; do
echo "$h.jup.ag/docs $(curl -sk -o /dev/null -w '%{http_code}' https://$h.jup.ag/docs)"
echo "$h.jup.ag/openapi.json $(curl -sk -o /dev/null -w '%{http_code}' https://$h.jup.ag/openapi.json)"
done

token-verify-api.jup.ag/docs 200
token-verify-api.jup.ag/openapi.json 200
prediction-market-api.jup.ag/docs 200
prediction-market-api.jup.ag/openapi.json 200
content-api.jup.ag/docs 200
content-api.jup.ag/openapi.json 200
lend-api.jup.ag/docs 200
lend-api.jup.ag/swagger 200
mobile-api.jup.ag/openapi.json 200

Impact

Five Jupiter production APIs expose internal API documentation publicly (Swagger UI + OpenAPI 3 JSON).
- The most sensitive disclosure is the Token Verification API's 3-step "1000 JUP express payment" flow, fully documented with request body, response schema, and behavior notes.
- prediction-market-api, content-api, mobile-api, lend-api each leak their full route map and response schemas to anyone with a browser.
- Attack uplift: every other class of backend bug against these services (parameter injection, mass assignment, IDOR, race conditions, state-machine abuse, fee-bypass) starts from a fully documented contract instead of a black box.
- One-line fix per service: gate Fastify's @fastify/swagger registration on NODE_ENV !== "production".

References (1)

https://portswigger.net/web-security/information-disclosure

Activity

@thibaultclosed the report asInformative

May 14

@raccoonsdisclosed this reportPublic Disclosure

May 22

Properties

Status

INFORMATIVE

Severity

LOW

Reporter

@bruda

Program

Jupiter