# Information Exposure Through Error Messages

- ID: javascript-error-message-exposure
- Severity: MEDIUM
- CWE: Error Message Information Leak (CWE-209)
- Languages: JavaScript, TypeScript
- Frameworks: express, fastify, nextjs, nodejs

## Description

Detects exposure of sensitive error information (error.message, error.stack,
raw error objects) in HTTP responses. This can leak:

- Internal file paths and directory structure
- Database schema and query details
- Third-party API endpoints and credentials
- Software versions and technology stack
- Business logic and validation rules

Attackers use this information to:
- Map internal architecture
- Identify vulnerable dependencies
- Craft targeted attacks
- Bypass security controls

## Detection Message

Sensitive error information (message, stack, or raw error object) is exposed in HTTP response.
Error details can reveal internal architecture, file paths, database schema, and other
sensitive information to attackers.

## Remediation

Return generic error messages to users and log detailed errors server-side.

```javascript
} catch (error) {
  logger.error('Failed', { error: error.message });
  res.status(500).json({ error: 'An error occurred' });
}
```

Learn more: https://shoulder.dev/learn/javascript/cwe-209/error-message-exposure

## Documentation

[object Object]

## Related Rules

- **Database Error Information Exposure in HTTP Response** [MEDIUM]: 
- **Error Message Information Disclosure** [MEDIUM]: 
- **Internal Path and IP Address Disclosure** [MEDIUM]: 
- **tRPC Error Information Disclosure** [MEDIUM]: