Description

A zombie API endpoint is absent from the latest deployed version of a service yet is still receiving traffic due to deployment drift — for example, a forgotten container, a failed rollout, or a legacy environment still running an outdated version. These endpoints are typically unmaintained and unpatched, making them a high-risk attack surface.

Rationale

This finding works by identifying an API endpoint that:

• received traffic since the latest deployment (with a 24h grace period after deploy)
• has a version tag that does not appear in the set of latest deployed versions

Deployment Tracking is a prerequisite for detecting Zombie API endpoints.

Remediation

Identify and decommission the legacy deployment still serving this endpoint (e.g. a forgotten container, a stuck rollout, or an outdated staging environment). Ensure all environments are running the latest version of the service so that removed endpoints can no longer receive traffic.