API10:2023 Unsafe Consumption of APIs

Trusting upstream API responses without validation. The flip-side of SSRF: the server fetches from a third party, then passes the response through to clients (or uses it in security-sensitive logic) without checking the content or origin.

What Vulkro detects

Vulkro tracks downstream HTTP client responses that flow into the response body or into authorisation logic without schema validation, allowlist, or signature check.

Non-compliant code (examples)

Express — pass-through of upstream response

app.get('/exchange-rate', async (req, res) => {
  const upstream = await fetch('https://rates.example.com/usd');
  const json = await upstream.json();
  res.json(json);  // no schema check; upstream could inject anything
});

Compliant code (examples)

Express — schema-validate the upstream payload

const RateSchema = z.object({ usd: z.number(), eur: z.number() });
app.get('/exchange-rate', async (req, res) => {
  const upstream = await fetch('https://rates.example.com/usd');
  const parsed = RateSchema.parse(await upstream.json());  // throws on shape drift
  res.json(parsed);
});

See also

• Confidence model - what High, Medium, and Low mean for findings in this category.
• Safety - what Vulkro does and does not access on your machine.

References

• CWE-20
• OWASP API10:2023

---

This page is generated by vulkro rules export <out-dir> from the catalog in src/rule_docs.rs. Edits made by hand are overwritten on the next regeneration.