The API lacks rate limiting controls, allowing unlimited requests to be sent to API endpoints, which can facilitate brute force attacks or resource exhaustion.
An attacker could perform brute force attacks against authentication endpoints, enumerate resources, exhaust server resources causing denial of service, or abuse costly API operations without restriction.
Implement rate limiting on all API endpoints using token bucket or sliding window algorithms. Set appropriate limits per user, IP, and endpoint. Return 429 Too Many Requests with Retry-After headers. Implement graduated rate limiting for sensitive endpoints.