HIGHCWE-306API Security
Exposed Next.js API Route
Description
A Next.js API route exposes sensitive data or functionality without proper authentication or rate limiting.
How Vezraa Detects It
We crawl common Next.js API patterns (/api/*) and test each endpoint for authentication requirements.
Real-World Impact
Attackers can scrape data from unprotected API routes, execute privileged operations, or discover internal application structure.
Fix Example
// Add auth check to API routes
export async function GET(request) {
const session = await getSession(request);
if (!session) return new Response('Unauthorized', { status: 401 });
return Response.json(await getData(session.userId));
}Affected Stacks
Next.js