Will It Vibe logoWill It Vibe?
NEXT-004Low severity-4 points

API route handles input without validation

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 4 points from that category, once per scan, no matter how many places it turns up.

What it detects

A route handler reads req.body/query or request.json()/searchParams but no schema-validation library (zod, yup, joi, valibot, ...) is imported or applied. Heuristic: it flags the absence of a validator, not a specific unsafe use, so a handler that validates by hand is a false positive.

Why it matters

A route handler that reads req.body, req.query, or request.json() without validating it trusts whatever a client sends. Missing or wrong-typed fields cause runtime crashes, and unchecked values flow straight into database queries, file paths, or third-party calls. This is a heuristic: it reports that no validation library is imported, so a handler that checks input by hand is a false positive.

How to fix it

Define a schema for the request body and query with zod (or yup, joi, valibot) and parse the input at the top of the handler, returning a 400 on failure. Work only with the parsed, typed result afterward, never the raw request object.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks