Raw request chain to external service (open proxy to Skip API)

The Router API defined two proxy-style endpoints (/api/rest/* and /api/rpc/*) that forwarded the entire raw HTTP Request object, unfiltered, through the application layers and finally into an outbound axios.request(...) call targeting the Skip API (SKIP_GO_API_URL).

No input validation, path filtering, header or method restrictions, body sanitation, or authentication were applied. The result was a generic unauthenticated passthrough interface to an external API, over which clients could execute arbitrary calls with custom payloads.

Restrict the proxy to a closed allowlist of paths, methods, and headers. Validate the body against expected schemas. Authenticate the caller before forwarding.

Initia: Resolved. Pashov Audit Group: Resolved. See the report for full detail.