Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-209 (通过错误消息导致的信息暴露) — Vulnerability Class 297

297 vulnerabilities classified as CWE-209 (通过错误消息导致的信息暴露). AI Chinese analysis included.

CWE-209 represents a critical information disclosure weakness where software inadvertently exposes sensitive internal details through error messages. This flaw typically occurs when applications return verbose stack traces, database paths, or user-specific data to end-users during failure states. Attackers exploit this by triggering specific errors to gather reconnaissance information, such as server architecture, file structures, or valid user identifiers, which facilitates further targeted attacks like SQL injection or privilege escalation. To mitigate this risk, developers must implement robust error handling mechanisms that separate internal diagnostic logs from user-facing messages. By standardizing generic, non-descriptive error responses for external users while retaining detailed logs for internal debugging, organizations can prevent attackers from leveraging error output to map system vulnerabilities or compromise sensitive data integrity.

MITRE CWE Description
The product generates an error message that includes sensitive information about its environment, users, or associated data.
Common Consequences (1)
ConfidentialityRead Application Data
Often this will either reveal sensitive information which may be used to launch another, more focused attack or disclose private information stored in the server. For example, an attempt to exploit a path traversal weakness (CWE-22) might yield the full pathname of the installed application. In tur…
Mitigations (5)
ImplementationEnsure that error messages only contain minimal details that are useful to the intended audience and no one else. The messages need to strike the balance between being too cryptic (which can confuse users) or being too detailed (which may reveal more than intended). The messages should not reveal the methods that were used to determine the error. Attackers can use detailed information to refine or…
ImplementationHandle exceptions internally and do not display errors containing potentially sensitive information to a user.
ImplementationUse naming conventions and strong types to make it easier to spot when sensitive data is being used. When creating structures, objects, or other complex entities, separate the sensitive and non-sensitive data as much as possible.
Effectiveness: Defense in Depth
Implementation, Build and CompilationDebugging information should not make its way into a production release.
Implementation, Build and CompilationDebugging information should not make its way into a production release.
Examples (2)
In the following example, sensitive information might be printed depending on the exception that occurs.
try { /.../ } catch (Exception e) { System.out.println(e); }
Bad · Java
This code tries to open a database connection, and prints any exceptions that occur.
try { openDbConnection(); } //print exception message that includes exception message and configuration file location catch (Exception $e) { echo 'Caught exception: ', $e->getMessage(), '\n'; echo 'Check credentials in config file at: ', $Mysql_config_location, '\n'; }
Bad · PHP
CVE IDTitleCVSSSeverityPublished
CVE-2023-38010 Multiple Vulnerabilities in IBM Cloud Pak System — Cloud Pak System 5.3 Medium2026-02-04
CVE-2025-12773 Plain password is generated in the audit logs while executing update-reports-purge-settings.sh script with Brocade SANnav before 2.4.0a — SANnav 4.9AIMediumAI2026-02-03
CVE-2025-1395 Sensitive Data Exposure in CoDeriApp's HeyGarson — HeyGarson 8.2 High2026-01-30
CVE-2025-11065 Github.com/go-viper/mapstructure/v2: go-viper's mapstructure may leak sensitive information in logs in github.com/go-viper/mapstructure 5.3 Medium2026-01-26
CVE-2026-1175 birkir prime GraphQL Directive graphql information exposure — prime 5.3 Medium2026-01-19
CVE-2025-55250 HCL AION is affected by a Technical Error Disclosure vulnerability — AION 1.8 Low2026-01-19
CVE-2025-15526 Fancy Product Designer | WooCommerce WordPress <= 6.4.8 - Unauthenticated Full Path Disclosure via 'pdf' Parameter — Fancy Product Designer 5.3 Medium2026-01-16
CVE-2026-22646 SICK Incoming Goods Suite 安全漏洞 — Incoming Goods Suite 4.3 Medium2026-01-15
CVE-2026-20838 Windows Kernel Information Disclosure Vulnerability — Windows 11 version 22H3 5.5 Medium2026-01-13
CVE-2025-62840 HBS 3 Hybrid Backup Sync — HBS 3 Hybrid Backup Sync 3.5 -2026-01-02
CVE-2022-50686 Kentico Xperience <= 12.0 Portal Engine Form Control Information Disclosure — Xperience 7.5 High2025-12-18
CVE-2025-9122 Hitachi Vantara Pentaho Business Analytics Server - Generation of Error Message Containing Sensitive Information — Pentaho Data Integration and Analytics 5.3 Medium2025-12-15
CVE-2025-13978 Generation of Error Message Containing Sensitive Information in GitLab — GitLab 4.3 Medium2025-12-11
CVE-2025-36437 IBM Planning Analytics Local is vulnerable to disclosing sensitive information — IBM Planning Analytics Local 4.3 Medium2025-12-09
CVE-2025-66549 Nextcloud Desktop discloses information when attempting to lock a file inside a end-to-end encrypted directory — security-advisories 2.4 Low2025-12-05
CVE-2025-13596 Improper Error Handling Leading to Sensitive Information Disclosure in CIGES ≤ 2.15.6 — CIGES 5.3AIMediumAI2025-11-24
CVE-2025-41076 Multiple vulnerabilities in Limesurvey — LimeSurvey 7.5 -2025-11-20
CVE-2025-40760 Siemens Altair Grid Engine 安全漏洞 — Altair Grid Engine 5.5 Medium2025-11-11
CVE-2025-61959 Vertikal Systems Hospital Manager Backend Services Generation of Error Message Containing Sensitive Information — Hospital Manager Backend Services 5.3 Medium2025-10-29
CVE-2025-12365 Error Messages Wrapped In HTTP Header — BLU-IC2 6.5AIMediumAI2025-10-27
CVE-2025-62397 Moodle: router produces json instead of 404 error for invalid course id 5.3 Medium2025-10-23
CVE-2025-62168 Squid vulnerable to information disclosure via authentication credential leakage in error handling — squid 10.0 Critical2025-10-17
CVE-2025-55676 Windows USB Video Class System Driver Information Disclosure Vulnerability — Windows 11 Version 24H2 5.5 Medium2025-10-14
CVE-2025-54291 Project existence disclosure in LXD images API — LXD 5.3AIMediumAI2025-10-02
CVE-2025-26333 Dell Crypto-J 安全漏洞 — BSAFE Crypto-J 5.9 Medium2025-09-25
CVE-2025-53803 Windows Kernel Memory Information Disclosure Vulnerability — Windows 10 Version 1507 5.5 Medium2025-09-09
CVE-2025-43776 Liferay Portal和Liferay DXP 安全漏洞 — Portal 5.4AIMediumAI2025-09-09
CVE-2025-59016 Information Disclosure via File Abstraction Layer — TYPO3 CMS 4.3AIMediumAI2025-09-09
CVE-2025-43777 Liferay Portal和Liferay DXP 安全漏洞 — Portal 7.5AIHighAI2025-09-09
CVE-2025-36003 IBM Security Verify Governance Identity Manager information disclosure — Security Verify Governance Identity Manager 7.5 High2025-08-28

Vulnerabilities classified as CWE-209 (通过错误消息导致的信息暴露) represent 297 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.