Skip to content

[audit][P1][security] core: initErrorRoutes leaks err.message/code to clients in production #3726

Open
Open
[audit][P1][security] core: initErrorRoutes leaks err.message/code to clients in production#3726
Labels
P2Important — depends on P1auditsecurity
@PierreBrisorgueil

Description

@PierreBrisorgueil
PierreBrisorgueil
opened on May 29, 2026

Finding NODE-CORE-01
File lib/services/express.js:313-321

The global error handler sends { message: err.message, code: err.code } unconditionally — no NODE_ENV guard, unlike responses.error (responses.js:100). Controllers next(err) raw Mongoose errors (e.g. E11000 ... index: email_1), leaking internals in prod.

Fix In production send only { message: 'Internal Server Error' }; or funnel all errors through responses.error for one sanitization path.

Devkit Node clean audit 2026-05-29 (rev d42eb12). Verified real by an independent refute-by-default reviewer. Fix flows through /feature #N → /verify-qa → /pull-request-finalize.

Metadata

Metadata

Assignees

No one assigned

    Labels

    P2Important — depends on P1auditsecurity

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions