String scalar in output has no maximum length defined

Possible exploit scenario

Without a maxLength or equivalent constraint , the API contract does not specify the expected size of returned string values. If no maximum length is defined, the API may return:

• Unexpectedly large values due to backend logic flaws
• Oversized error messages revealing internal details
• Excessive user-generated content
• Data leaked from unintended sources
• Amplified payloads in the event of exploitation
• Monitoring systems may fail to detect anomalies
• Downstream consumers may crash or behave unpredictably

If a backend component is compromised or misconfigured, it may return unexpectedly large string values, such as full stack traces, database dumps, or internal logs.

Attackers strive to make your APIs behave in an unexpected way to learn more about your system or to cause a data breach. Good data definition quality in the schemas used in API responses allows reliably validating that the contents of outgoing API responses are as expected.

While filtering API responses does not block a specific kind of attack, it is there as a damage control mechanism in the unfortunate event that a successful attack has been conducted: it allows blocking the response and prevent attackers from retrieving data they should not access.

In the vast majority of cases (with the notable exception of Denial of Service (DoS and DDoS) attacks) attacks are conducted because attackers want to access data or resources they should not have access to. Often, this means that the structure or the size of the API response changes as a result of a successful attack, compared to a normal API response.

Validating that API responses are as expected can be achieved through proper schema validation of the API responses. The accuracy of this depends on the quality of the response schemas: the better defined your schemas are, the easier it is to detect when something is not right.

Although defining the maximum length for string outputs does not directly prevent attacks, it serves as a contract enforcement and damage containment mechanism. Clearly defined response bounds allow:

• Detection of abnormal responses
• Prevention of excessive data exposure
• Improved monitoring and validation
• Stronger guarantees for API consumers
• Reduced risk of response amplification attacks

A maximum length constraint helps detect and contain such abnormal responses and in security-sensitive environments is part of responsible API governance.