Security Advisory: Unauthenticated Magic Link Endpoint Enables Email Reflection Attack

Field	Value
Advisory ID	NXD-2025-001
Published	2025-05-23
Severity	High (CVSS 3.1 Base Score: 7.5)
CWE	CWE-799 — Improper Control of Interaction Frequency
Affected Product	Nexudus Platform — Magic Link Authentication
Status	Disclosed

Summary

The /api/sys/users/sendMagicLink endpoint did not require authentication or enforce rate limiting, allowing an unauthenticated attacker to trigger unlimited magic link emails to arbitrary registered users. This could be abused as an email reflector attack, flooding third-party email servers and potentially causing denial of service while marking the operator’s mail infrastructure as the attack source.

Vulnerability Details

What happened?

The Nexudus magic link authentication endpoint accepted unauthenticated GET requests with an email parameter and sent a magic link email to the specified address without any rate limiting or abuse prevention. An attacker could invoke this endpoint repeatedly, using the Nexudus mail servers as a reflector to flood a victim’s email infrastructure.

Root Cause

The /api/sys/users/sendMagicLink endpoint lacked both authentication requirements and request throttling. Any party with knowledge of a registered user’s email address could trigger unlimited outbound emails from Nexudus infrastructure.

Impact

With access to this endpoint, an attacker could:

1. Email Server Denial of Service

Flood a target email domain with magic link emails by repeatedly invoking the endpoint for multiple users within the same organisation, potentially overwhelming the receiving mail server.

2. Operator Deny-Listing

Cause the Nexudus operator’s mail infrastructure to be flagged as a spam source, resulting in the operator’s sending domain being added to email deny-lists, degrading legitimate email delivery for all their customers.

3. User Harassment

Send an excessive volume of unsolicited emails to targeted users, disrupting their inbox and creating confusion.

Impact Assessment

Category	Impact
Confidentiality	Low — no data is directly exposed, but email address existence can be inferred
Integrity	Operator email reputation degraded through deny-listing
Availability	Third-party email servers may experience denial of service; operator email deliverability impaired
Financial	Indirect costs from email reputation recovery and potential service disruption

Exploitation Prerequisites

Authentication Required: No — the endpoint was publicly accessible without authentication.
Technical Skill: Minimal — a simple HTTP GET request in a loop.
Tools Required: Any HTTP client (curl, scripting language, or browser).
Reconnaissance: Knowledge of registered user email addresses within a Nexudus-powered space.

Proof of Concept

curl --request GET \
     --url 'https://spaces.nexudus.com/api/sys/users/sendMagicLink?email=victim@victimcompany.org' \
     --header 'accept: application/json'

Running this request repeatedly, targeting multiple users within the same email domain, amplifies the attack by using Nexudus mail servers as a reflector.

Remediation

Implement rate limiting — throttle requests to the /api/sys/users/sendMagicLink endpoint to limit the number of emails sent per address and per source IP within a given time window.
Monitor outbound email volume — add alerting for anomalous spikes in magic link email sends.

Timeline

Date	Event
2025-05-23	Vulnerability reported to Nexudus by Stanislav Láznička (Microsoft)
2025-05-23	Rate limiting applied to the magic link endpoint
2025-06-01	Public disclosure

Credit

Reported by Stanislav Láznička, Principal Software Engineer at Microsoft.

​Security Advisory: Unauthenticated Magic Link Endpoint Enables Email Reflection Attack

​Summary

​Vulnerability Details

​What happened?

​Root Cause

​Impact

​1. Email Server Denial of Service

​2. Operator Deny-Listing

​3. User Harassment

​Impact Assessment

​Exploitation Prerequisites

​Proof of Concept

​Remediation

​Timeline

​Credit