F-2025-0020·input-validation
No response validation for external skip API
TL;DR
Responses from the external Skip API were consumed without schema validation, leaving the widget vulnerable to malformed or malicious responses that did not match the expected shape.
Severity
LOW
Impact
LOW
Likelihood
MEDIUM
Method
MManual review
CAT.
Complexity
LOW
Exploitability
LOW
02Section · Description
Description
The widget consumed Skip API responses without validating them against an expected schema. If Skip API ever returned malformed data (intentionally adversarial or accidentally), the widget would propagate the bad data into downstream logic.
03Section · Recommendation
Recommendation
Validate Skip API responses against an expected schema at the integration boundary. Reject and surface a clean error to the user if the response does not match.
Initia: Acknowledged. Pashov Audit Group: Acknowledged.