Description

We identified a potential security vulnerability within your web application that utilizes GraphQL. The application is inadvertently disclosing sensitive exception details, such as error messages and stack traces, through the errors.message.extensions.exception.stack response properties. This information leakage poses a risk to the application's security posture, as attackers could exploit the exposed details to gain further insight into the system's architecture and potentially launch more targeted attacks.

Remediation

  • Implement proper error handling mechanisms in the GraphQL server to catch and manage exception errors. Ensure that exceptions are caught and handled at the appropriate level within the application. Utilize try-catch blocks to manage exceptions and avoid unhandled errors.
  • Replace detailed error messages with generic ones that do not disclose sensitive information. Error messages should be informative enough for users to understand the issue but not specific enough to reveal underlying system details that may be exploited by attackers.

References

GraphQL spec

Related Vulnerabilities

WordPress Plugin Page Flip Image Gallery 'book_id' Parameter Remote File Disclosure (0.2.2)

WordPress Plugin Simple Image Manipulator Arbitrary File Download (1.0)

Directory listings

WordPress Plugin WP REST API (WP API) Information Disclosure (1.2)

Go web application binary disclosure

Severity

Medium

Classification

CWE-209 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Tags

Configuration Information Disclosure Error Handling