logo

Server-generated Error Message Containing Sensitive Information

Incomplete Variant
Structure: Simple
Description

This vulnerability occurs when a web application or server returns detailed error messages that reveal sensitive internal information about the system.

Extended Description

When a server encounters an unexpected condition—like a database failure, a missing file, or an invalid request—it may generate an error message that leaks sensitive details. These details can include internal file paths, database schema information, server software versions, configuration settings, or even snippets of source code. While these messages are intended to help developers debug problems, they are often exposed to end-users, including potential attackers. Attackers actively probe applications for these verbose errors because they provide a blueprint of the system's internals. This information significantly reduces the effort needed for a successful attack, as it can reveal software versions to target with known exploits, expose directory structures for path traversal attacks, or disclose SQL query fragments that help craft SQL injection payloads. The core risk isn't the error itself, but the free intelligence it hands to a malicious actor, accelerating further exploitation.
Common Consequences 1
Scope: Confidentiality

Impact: Read Application Data
Potential Mitigations 1
Phase: Architecture and DesignSystem Configuration
Recommendations include designing and adding consistent error handling mechanisms which are capable of handling any user input to your web application, providing meaningful detail to end-users, and preventing error messages that might provide information useful to an attacker from being displayed.
Modes of Introduction
Implementation
Related Weaknesses
ChildOf: Generation of Error Message Containing Sensitive Information (CWE-209)