Skip to content
← Back to Vulnerability Database
HIGHCWE-306API Security

Exposed Next.js API Route

Description

A Next.js API route exposes sensitive data or functionality without proper authentication or rate limiting.

How Vezraa Detects It

We crawl common Next.js API patterns (/api/*) and test each endpoint for authentication requirements.

Real-World Impact

Attackers can scrape data from unprotected API routes, execute privileged operations, or discover internal application structure.

Fix Example

// Add auth check to API routes
export async function GET(request) {
  const session = await getSession(request);
  if (!session) return new Response('Unauthorized', { status: 401 });
  return Response.json(await getData(session.userId));
}

Affected Stacks

Next.js

References

Check if your app has this vulnerability

Scan your app in 25 seconds — no install, no code access required.

Exposed Next.js API Route — Vulnerability Database | Vezraa