Infinitive loop on API req in Block editor after wordpress_logged_in cookie is removed

[iruzevic]

Description

When you log into the editor and manually remove the wordpress_logged_in cookie, any attempt to save or perform actions in the editor will trigger an infinite loop of API requests, resulting in a 403 Forbidden response with rest_cookie_invalid_nonce.

Even after refreshing the page, these requests will persist, and the only way to stop them is to manually log out.

This infinite loop of requests can spike your CPU to 100%, rendering your site unresponsive.

All details can be found here on the video: https://drive.google.com/file/d/1SpwEp_kg0okedNBe9yfHpAqMb-wQKdPi/view?usp=sharing

Step-by-step reproduction instructions

1. Login
2. Open an block-editor
3. Remove the wordpress_logged_in cookie
4. Save the draft
5. See the infinitive requests in the inspector

Screenshots, screen recording, code snippet

https://github.com/user-attachments/assets/c1361c9e-810f-46a1-b1ce-bf6bae1329b6

Environment info

Tested:

• PHP - 8.3 and 7.4
• Nginx
• Laravel Herd 1.12.0 (locally) also on Ubuntu server 20.04.2 and 20.04.6
• WP core - 6.1 - 6.7.1 (I didn't go further)
• Plugin - none installed
• Theme - twentytwentyfive, twentytwentyfour

Please confirm that you have searched existing issues in the repo.

• [x] Yes

Please confirm that you have tested with all plugins deactivated except Gutenberg.

• [x] Yes

Please confirm which theme type you used for testing.

• [x] Block
• [ ] Classic
• [ ] Hybrid (e.g. classic with theme.json)
• [ ] Not sure

[Mayank-Tripathi32]

Hello @iruzevic,

Thank you for reporting the issue. I was able to replicate the problem. While saving settings and other actions worked in settings page but I couldn’t save Gutenberg drafts. I’m not entirely sure how this should be addressed—perhaps the system should log the user out if the cookie is removed or missing?

Test Bench:

• WordPress: 6.7.1
• macOS: 14.5