保護DataHogo
Security Encyclopedia/Vibecoding Patterns
mediumCWE-209A05:2021

Verbose Error Messages

Detailed error messages, stack traces, or internal paths sent to the client or logged publicly, giving attackers a map of your application internals.

How It Works

Stack traces reveal file paths, library versions, function names, and sometimes database schemas. An attacker who sees `Error: column 'password_hash' of relation 'users' does not exist` learns your table structure. Error messages are free reconnaissance.

Vulnerable Code
// BAD: raw error sent to client
export async function POST(req: Request) {
  try {
    const user = await db.users.create({ data: await req.json() });
    return Response.json(user);
  } catch (error) {
    return Response.json({ error: error.message, stack: error.stack }, { status: 500 });
  }
}
Secure Code
// GOOD: generic message to client, details to logs
export async function POST(req: Request) {
  try {
    const user = await db.users.create({ data: await req.json() });
    return Response.json(user);
  } catch (error) {
    console.error('[/api/users POST]', error); // server log only
    return Response.json({ error: 'Something went wrong' }, { status: 500 });
  }
}

Real-World Example

A Next.js app in development mode was accidentally deployed to production. The detailed error overlay exposed full stack traces including absolute file paths and Prisma query internals to every visitor who triggered an error.

How to Prevent It

  • Return generic error messages to clients (e.g. 'Something went wrong') in production
  • Log detailed errors server-side using Sentry or structured logging — never in the response
  • Ensure NODE_ENV=production in your deployment environment to disable dev error overlays
  • Never send stack traces, file paths, or query details in API responses

Affected Technologies

nodejsNext.jsPythonGoPHP

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

Hardcoded API Keys

critical

API keys, tokens, or secrets written directly in source code, making them visible to anyone with repo access — including public GitHub repositories.

CWE-798A02:2021

No Input Validation

medium

User-supplied data sent directly to databases or external APIs without any type, format, or content validation.

CWE-20A03:2021

Passwords Stored in Plaintext

critical

User passwords stored as raw strings in the database instead of being hashed with a proper algorithm like bcrypt or Argon2.

CWE-256A02:2021

JWT Without Expiration

high

JWTs signed without an `exp` claim that never expire, meaning a stolen token grants permanent access with no way to revoke it.

CWE-613A07:2021