Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-209 (通过错误消息导致的信息暴露) — Vulnerability Class 297

297 vulnerabilities classified as CWE-209 (通过错误消息导致的信息暴露). AI Chinese analysis included.

CWE-209 represents a critical information disclosure weakness where software inadvertently exposes sensitive internal details through error messages. This flaw typically occurs when applications return verbose stack traces, database paths, or user-specific data to end-users during failure states. Attackers exploit this by triggering specific errors to gather reconnaissance information, such as server architecture, file structures, or valid user identifiers, which facilitates further targeted attacks like SQL injection or privilege escalation. To mitigate this risk, developers must implement robust error handling mechanisms that separate internal diagnostic logs from user-facing messages. By standardizing generic, non-descriptive error responses for external users while retaining detailed logs for internal debugging, organizations can prevent attackers from leveraging error output to map system vulnerabilities or compromise sensitive data integrity.

MITRE CWE Description
The product generates an error message that includes sensitive information about its environment, users, or associated data.
Common Consequences (1)
ConfidentialityRead Application Data
Often this will either reveal sensitive information which may be used to launch another, more focused attack or disclose private information stored in the server. For example, an attempt to exploit a path traversal weakness (CWE-22) might yield the full pathname of the installed application. In tur…
Mitigations (5)
ImplementationEnsure that error messages only contain minimal details that are useful to the intended audience and no one else. The messages need to strike the balance between being too cryptic (which can confuse users) or being too detailed (which may reveal more than intended). The messages should not reveal the methods that were used to determine the error. Attackers can use detailed information to refine or…
ImplementationHandle exceptions internally and do not display errors containing potentially sensitive information to a user.
ImplementationUse naming conventions and strong types to make it easier to spot when sensitive data is being used. When creating structures, objects, or other complex entities, separate the sensitive and non-sensitive data as much as possible.
Effectiveness: Defense in Depth
Implementation, Build and CompilationDebugging information should not make its way into a production release.
Implementation, Build and CompilationDebugging information should not make its way into a production release.
Examples (2)
In the following example, sensitive information might be printed depending on the exception that occurs.
try { /.../ } catch (Exception e) { System.out.println(e); }
Bad · Java
This code tries to open a database connection, and prints any exceptions that occur.
try { openDbConnection(); } //print exception message that includes exception message and configuration file location catch (Exception $e) { echo 'Caught exception: ', $e->getMessage(), '\n'; echo 'Check credentials in config file at: ', $Mysql_config_location, '\n'; }
Bad · PHP
CVE IDTitleCVSSSeverityPublished
CVE-2026-41644 monetr is vulnerable to server-side request forgery in Lunch Flow link creation and refresh — monetr 4.3AIMediumAI2026-05-07
CVE-2025-31960 HCL BigFix Service Management (SM) is vulnerable to information exposure due to improper error handling within its reporting module — BigFix Service Management (SM) 5.3 Medium2026-05-06
CVE-2025-59853 HCL DFXAnalytics is affected by an Improper Error Handling vulnerability — DFXAnalytics 3.1 Low2026-05-06
CVE-2026-40969 Spring gRPC AuthenticationException message reflected to remote client — Spring gRPC 3.7 Low2026-04-28
CVE-2026-3259 Sensitive Data Disclosure in BigQuery via Materialized View Error Messages — BigQuery 4.3AIMediumAI2026-04-23
CVE-2025-14243 Mirror-registry: openshift mirror registry: user enumeration via authentication error messages — mirror registry for Red Hat OpenShift 5.3 Medium2026-04-08
CVE-2026-24511 Dell PowerScale OneFS 安全漏洞 — PowerScale OneFS 4.4 Medium2026-04-08
CVE-2026-34045 Podman Desktop WebView Server Exposed — podman-desktop 8.2 High2026-04-07
CVE-2025-71282 XenForo Path Disclosure via open_basedir Exceptions — XenForo 7.5 High2026-04-01
CVE-2026-4994 wandb OpenUI APIStatusError server.py generic_exception_handler information exposure — OpenUI 3.5 Low2026-03-28
CVE-2026-2484 IBM InfoSphere Information Server Information Disclosure — InfoSphere Information Server 4.3 Medium2026-03-25
CVE-2026-1262 IBM InfoSphere Information Server Information Disclosure — InfoSphere Information Server 4.3 Medium2026-03-25
CVE-2026-21783 HCL Traveler is affected by sensitive information disclosure — Traveler 4.3 Medium2026-03-24
CVE-2026-4633 Keycloak: keycloak: user enumeration via differential error messages — Red Hat Build of Keycloak 3.7 Low2026-03-23
CVE-2026-33192 free5GC UDM incorrectly returns 500 for empty supi path parameter in PATCH sdm-subscriptions reques — free5gc 3.7 -2026-03-20
CVE-2026-33065 free5GC UDM incorrectly returns 500 for empty supi path parameter in DELETE sdm-subscriptions request — free5gc 5.3 -2026-03-20
CVE-2025-13726 IBM Sterling Partner Engagement Manager Information Disclosure — Sterling Partner Engagement Manager 5.3 Medium2026-03-13
CVE-2026-30835 Parse Server: Malformed `$regex` query leaks database error details in API response — parse-server 7.5 -2026-03-06
CVE-2026-29110 Cryptomator: Leaking of cleartext paths into log file in non-debug mode — cryptomator 2.2 Low2026-03-06
CVE-2026-2752 Navtor NavBox 安全漏洞 — NavBox 5.3 Medium2026-03-06
CVE-2026-27643 free5GC has improper error handling in NEF with information exposure — udr 5.3 -2026-02-24
CVE-2025-69253 free5GC vulnerable to improper error handling in NEF with information exposure — udr 5.3 -2026-02-24
CVE-2025-69208 free5GC UDR's NEF incorrectly returns 500 for missing PFD data (UDR 404) in Nnef_PfdManagement GET request — udr 7.5AIHighAI2026-02-23
CVE-2025-65995 Apache Airflow: Disclosure of secrets to UI via kwargs — Apache Airflow 6.5AIMediumAI2026-02-21
CVE-2026-26957 Libredesk has an SSRF Vulnerability via Webhooks — github.com/abhinavxd/libredesk 5.5AIMediumAI2026-02-19
CVE-2026-27004 OpenClaw session tool visibility hardening and Telegram webhook secret fallback — openclaw 6.5 -2026-02-19
CVE-2025-36348 The Dashboard of IBM Sterling B2B Integrator and IBM Sterling File Gateway is Vulnerable to Information Disclosure — Sterling B2B Integrator 4.9 Medium2026-02-17
CVE-2025-66594 Yokogawa FAST/TOOLS 安全漏洞 — FAST/TOOLS 5.3AIMediumAI2026-02-09
CVE-2023-38281 Multiple Vulnerabilities in IBM Cloud Pak System — Cloud Pak System 5.3 Medium2026-02-04
CVE-2023-38017 Multiple Vulnerabilities in IBM Cloud Pak System — Cloud Pak System 5.3 Medium2026-02-04

Vulnerabilities classified as CWE-209 (通过错误消息导致的信息暴露) represent 297 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.