Old API Version Exposed
Description
The application exposes endpoints for deprecated or outdated API versions that should have been retired. These legacy endpoints often lack current security patches, modern authentication mechanisms, or input validation controls present in newer versions. Maintaining access to old API versions unnecessarily expands the attack surface and may allow attackers to exploit known vulnerabilities or bypass security improvements implemented in current versions.
Remediation
Implement a formal API deprecation and retirement process to eliminate access to outdated versions:
1. Identify all deprecated API versions - Audit your infrastructure to locate all legacy endpoints and document their usage patterns
2. Communicate deprecation timelines - Notify API consumers with clear migration deadlines and provide documentation for transitioning to supported versions
3. Disable or remove deprecated endpoints - Once the deprecation period expires, completely remove old API versions from production environments. If immediate removal is not feasible, implement strict access controls:
// Example: Express.js middleware to block deprecated API versions
app.use('/api/v1/*', (req, res) => {
res.status(410).json({
error: 'API version deprecated',
message: 'This API version is no longer supported. Please use /api/v3/',
sunset_date: '2024-01-15'
});
});
4. Implement version sunset headers - For APIs still in deprecation phase, use Sunset and Deprecation HTTP headers to inform clients:
Sunset: Sat, 15 Jan 2024 23:59:59 GMT Deprecation: true Link: <https://api.example.com/v3/docs>; rel="successor-version"
5. Monitor and enforce - Regularly scan for unauthorized legacy endpoints and ensure only the current supported API version(s) remain accessible in production