mediumInfrastructure

Stack Traces and Error Details Shown to Users

What Is This Vulnerability?

When an application displays raw error messages, stack traces, or exception details to end users, it leaks internal information about the tech stack, file paths, database structure, and third-party services. This information disclosure helps attackers identify specific software versions, vulnerable libraries, and potential attack vectors.

Why It Happens

Applications in development are configured to display verbose errors for debugging. When deployed to production without proper error handling, these detailed messages reach end users. Many frameworks default to showing full stack traces, and developers forget to configure custom error handlers. Unhandled exceptions in API responses also leak implementation details.

Example Code

Vulnerableroutes.ts
app.get("/api/users/:id", async (req, res) => {
  try {
    const user = await db.query(
      "SELECT * FROM users WHERE id = $1",
      [req.params.id]
    );
    res.json(user.rows[0]);
  } catch (error) {
    res.status(500).json({
      error: error.message,
      stack: error.stack,
      query: error.query,
    });
  }
});
Fixedroutes.ts
import { randomUUID } from "crypto";
import { logger } from "./logger";

app.get("/api/users/:id", async (req, res) => {
  try {
    const user = await db.query(
      "SELECT * FROM users WHERE id = $1",
      [req.params.id]
    );
    res.json(user.rows[0]);
  } catch (error) {
    const errorId = randomUUID();
    logger.error({ errorId, error, path: req.path });
    res.status(500).json({
      error: "An internal error occurred",
      errorId,
    });
  }
});

How Hackers Exploit It

Attackers deliberately send malformed inputs to trigger errors and inspect the responses. Stack traces reveal framework versions, ORM queries expose database table and column names, and file paths disclose the server OS and directory structure. This reconnaissance helps attackers choose targeted exploits, craft SQL injection payloads, and identify vulnerable dependency versions.

How to Fix It

Implement a global error handler that catches all exceptions and returns generic error messages to clients. Log detailed error information server-side with a correlation ID that can be referenced for debugging. Use custom error pages for web applications. In APIs, always return structured error responses with safe messages and a trace ID, never raw exceptions.

Frequently Asked Questions

What information do stack traces reveal?
Stack traces typically expose the programming language and framework version, file system paths showing the OS and directory structure, database query strings and table names, third-party library names and versions, internal function names revealing business logic, and sometimes environment variables or configuration values embedded in error context.
What is a correlation ID for error handling?
A correlation ID is a unique identifier (usually a UUID) generated for each error occurrence. The ID is returned to the client in the generic error response and also logged server-side alongside the full error details. Support teams can use this ID to look up the actual error without exposing sensitive information to the end user.
How do I test for information leakage in error responses?
Send requests with invalid input types, missing required fields, malformed JSON, extremely long strings, and special characters to your API endpoints. Inspect the responses for stack traces, file paths, SQL queries, or framework error pages. Automated tools like OWASP ZAP can also scan for information leakage patterns.

Related Security Topics

Debug Mode Enabled in Production

Learn about debug mode enabled in production and how to fix it.

Admin Panel Accessible Without Authentication

Learn about admin panel accessible without authentication and how to fix it.

No Rate Limiting on API Endpoints

Learn about no rate limiting on api endpoints and how to fix it.

Check Your Code for This Vulnerability

Run a free scan to check if your site is affected by stack traces and error details shown to users.