Unsafe API Consumption
Your API blindly trusts responses from third-party APIs without validation, allowing attackers to exploit upstream services to compromise your application.
How It Works
When your API consumes data from third-party services, it often trusts the response implicitly. If an upstream API is compromised or returns unexpected data, your application processes it without sanitization. This can lead to injection attacks, data corruption, or business logic bypass. Attackers may compromise a less-secured third-party API or perform man-in-the-middle attacks to inject malicious payloads that your application processes as trusted data.
app.get('/api/enrichment/:email', async (req, res) => {
const data = await fetch(`https://api.third-party.com/lookup?email=${req.params.email}`);
const profile = await data.json();
await db.query(`UPDATE users SET name = '${profile.name}' WHERE email = '${req.params.email}'`);
res.json(profile);
});import { z } from 'zod';
const ProfileSchema = z.object({ name: z.string().max(100), company: z.string().optional() });
app.get('/api/enrichment/:email', async (req, res) => {
const data = await fetch(`https://api.third-party.com/lookup?email=${encodeURIComponent(req.params.email)}`);
const raw = await data.json();
const profile = ProfileSchema.parse(raw);
await db.query('UPDATE users SET name = $1 WHERE email = $2', [profile.name, req.params.email]);
res.json(profile);
});Real-World Example
In 2021, Codecov's Bash Uploader was compromised, injecting malicious code that exfiltrated environment variables from CI/CD pipelines. Companies like Twilio, HashiCorp, and Confluent that consumed Codecov's script without integrity verification were affected.
How to Prevent It
- Validate and sanitize all data received from third-party APIs with schemas
- Use parameterized queries even with trusted data sources
- Verify TLS certificates and use certificate pinning for critical integrations
- Set timeouts and circuit breakers for external API calls
Affected Technologies
Data Hogo detects this vulnerability automatically.
Scan Your Repo FreeRelated Vulnerabilities
Broken Object Level Authorization (BOLA)
highAPI endpoints don't verify that the requesting user owns the resource they're accessing — allowing attackers to access other users' data by changing object IDs.
Broken Authentication (API)
highAPI authentication mechanisms are weak or improperly implemented — JWT without proper validation, tokens not in httpOnly cookies, or missing token expiration.
Broken Object Property Level Authorization
mediumAPI allows users to read or modify object properties they shouldn't have access to — mass assignment, excessive data exposure, or missing field-level access control.
Unrestricted Resource Consumption
mediumAPI endpoints without rate limiting, pagination, or resource limits — allowing attackers to exhaust server resources, rack up costs, or extract large datasets.