# tRPC Error Information Disclosure

- ID: trpc-error-information-leak
- Severity: MEDIUM
- CWE: Error Message Information Leak (CWE-209)
- Languages: JavaScript, TypeScript
- Frameworks: trpc

## Description

Exposing raw errors, stack traces, or database details to clients aids attackers
in reconnaissance and exploitation.

## Detection Message

Error handling exposes implementation details. Use error formatter to sanitize errors in production.

## Remediation

Use errorFormatter to sanitize errors in production.

```typescript
export const t = initTRPC.context<Context>().create({
  errorFormatter({ shape }) {
    return {
      ...shape,
      data: {
        ...shape.data,
        stack: process.env.NODE_ENV === 'production' ? undefined : shape.data.stack
      }
    };
  }
});
```

Learn more: https://shoulder.dev/learn/typescript/cwe-209/error-information-leak

## Documentation

[object Object]

## Related Rules

- **Database Error Information Exposure in HTTP Response** [MEDIUM]: 
- **Information Exposure Through Error Messages** [MEDIUM]: 
- **Error Message Information Disclosure** [MEDIUM]: 
- **Internal Path and IP Address Disclosure** [MEDIUM]: