Vulnerability
All Spider endpoints (/spider/crawl, /spider/search, /spider/links, /spider/screenshot, /spider/transform) have no authentication middleware applied. The route registration explicitly omits TokenAuth with a TODO comment acknowledging this is temporary.
Impact
- Any unauthenticated user can invoke Spider.cloud API calls through the server, using the platform's paid API quota without authorization.
- The server becomes an open proxy for web crawling, search, screenshots, and link extraction.
- Attackers can enumerate and crawl arbitrary URLs, take screenshots of internal services, and search for content at no cost to themselves.
- No rate limiting is applied to these routes, enabling high-volume abuse.
Endpoint
POST /spider/crawl — parameter url is passed to Spider.cloud without authPOST /spider/search — parameter search is passed to Spider.cloud without authPOST /spider/links — parameter url is passed to Spider.cloud without authPOST /spider/screenshot — parameter url is passed to Spider.cloud without authPOST /spider/transform — parameter data is passed to Spider.cloud without auth
Recommendation
Apply TokenAuth middleware to the /spider route group. The TODO comment indicates this was planned but deferred. Add rate limiting to prevent abuse even for authenticated users.
Vulnerability
All Spider endpoints (
/spider/crawl,/spider/search,/spider/links,/spider/screenshot,/spider/transform) have no authentication middleware applied. The route registration explicitly omitsTokenAuthwith a TODO comment acknowledging this is temporary.Impact
Endpoint
POST /spider/crawl— parameterurlis passed to Spider.cloud without authPOST /spider/search— parametersearchis passed to Spider.cloud without authPOST /spider/links— parameterurlis passed to Spider.cloud without authPOST /spider/screenshot— parameterurlis passed to Spider.cloud without authPOST /spider/transform— parameterdatais passed to Spider.cloud without authRecommendation
Apply
TokenAuthmiddleware to the/spiderroute group. The TODO comment indicates this was planned but deferred. Add rate limiting to prevent abuse even for authenticated users.