Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-209 (通过错误消息导致的信息暴露) — Vulnerability Class 297

297 vulnerabilities classified as CWE-209 (通过错误消息导致的信息暴露). AI Chinese analysis included.

CWE-209 represents a critical information disclosure weakness where software inadvertently exposes sensitive internal details through error messages. This flaw typically occurs when applications return verbose stack traces, database paths, or user-specific data to end-users during failure states. Attackers exploit this by triggering specific errors to gather reconnaissance information, such as server architecture, file structures, or valid user identifiers, which facilitates further targeted attacks like SQL injection or privilege escalation. To mitigate this risk, developers must implement robust error handling mechanisms that separate internal diagnostic logs from user-facing messages. By standardizing generic, non-descriptive error responses for external users while retaining detailed logs for internal debugging, organizations can prevent attackers from leveraging error output to map system vulnerabilities or compromise sensitive data integrity.

MITRE CWE Description
The product generates an error message that includes sensitive information about its environment, users, or associated data.
Common Consequences (1)
ConfidentialityRead Application Data
Often this will either reveal sensitive information which may be used to launch another, more focused attack or disclose private information stored in the server. For example, an attempt to exploit a path traversal weakness (CWE-22) might yield the full pathname of the installed application. In tur…
Mitigations (5)
ImplementationEnsure that error messages only contain minimal details that are useful to the intended audience and no one else. The messages need to strike the balance between being too cryptic (which can confuse users) or being too detailed (which may reveal more than intended). The messages should not reveal the methods that were used to determine the error. Attackers can use detailed information to refine or…
ImplementationHandle exceptions internally and do not display errors containing potentially sensitive information to a user.
ImplementationUse naming conventions and strong types to make it easier to spot when sensitive data is being used. When creating structures, objects, or other complex entities, separate the sensitive and non-sensitive data as much as possible.
Effectiveness: Defense in Depth
Implementation, Build and CompilationDebugging information should not make its way into a production release.
Implementation, Build and CompilationDebugging information should not make its way into a production release.
Examples (2)
In the following example, sensitive information might be printed depending on the exception that occurs.
try { /.../ } catch (Exception e) { System.out.println(e); }
Bad · Java
This code tries to open a database connection, and prints any exceptions that occur.
try { openDbConnection(); } //print exception message that includes exception message and configuration file location catch (Exception $e) { echo 'Caught exception: ', $e->getMessage(), '\n'; echo 'Check credentials in config file at: ', $Mysql_config_location, '\n'; }
Bad · PHP
CVE IDTitleCVSSSeverityPublished
CVE-2025-9229 Information Disclosure in MiR robots and MiR fleet through verbose error pages — MiR Robots 5.3 Medium2025-08-20
CVE-2025-52619 HCL BigFix SaaS Authentication Service is affected by a sensitive information disclosure — BigFix SaaS Remediate 5.3 Medium2025-08-15
CVE-2025-9005 mtons mblog register information exposure — mblog 3.7 Low2025-08-15
CVE-2025-54791 OMERO.web displays unecessary user information when requesting to reset the password — omero-web 5.3 Medium2025-08-13
CVE-2024-41984 Siemens多款产品 安全漏洞 — SmartClient modules Opcenter QL Home (SC) 2.6 Low2025-08-12
CVE-2024-41983 Siemens SmartClient modules Opcenter QL Home 安全漏洞 — SmartClient modules Opcenter QL Home (SC) 3.5 Low2025-08-12
CVE-2025-8852 WuKongOpenSource WukongCRM API Response upload information exposure — WukongCRM 4.3 Medium2025-08-11
CVE-2025-23320 NVIDIA Triton Inference Server 安全漏洞 — Triton Inference Server 7.5 High2025-08-06
CVE-2025-8548 atjiu pybbs Registered Email SettingsApiController.java sendEmailCode information exposure — pybbs 3.7 Low2025-08-05
CVE-2025-36090 IBM Analytics Content Hub information disclosure — Analytics Content Hub 4.3 Medium2025-07-10
CVE-2024-37524 IBM Analytics Content Hub information disclosure — Analytics Content Hub 5.3 Medium2025-07-10
CVE-2025-47813 Wing FTP Server 安全漏洞 — Wing FTP Server 4.3 Medium2025-07-10
CVE-2025-40718 Improper error handling vulnerability in Quiter Gateway — Quiter Gateway (Java WAR on Apache Tomcat) 5.3AIMediumAI2025-07-08
CVE-2025-5731 Infinispan: credential leakage in infinispan cli — infinispan 5.5 Medium2025-06-26
CVE-2025-49128 Jackson-core Vulnerable to Memory Disclosure via Source Snippet in JsonLocation — jackson-core 4.0 Medium2025-06-06
CVE-2024-56342 IBM Verify Identity Access Digital Credentials information disclosure — Verify Identity Access Digital Credentials 4.3 Medium2025-06-06
CVE-2025-25025 IBM Security Guardium information disclosure — Security Guardium 4.3 Medium2025-05-28
CVE-2025-40653 User enumeration in M3M Printer Server Web — M3M Printer Server Web 5.3AIMediumAI2025-05-26
CVE-2025-41441 SYNCK GRAPHICA Mailform Pro CGI 安全漏洞 — Mailform Pro CGI 5.3AIMediumAI2025-05-26
CVE-2025-46746 Error Message Contains Sensitive Information — SEL Blueframe OS 5.8 Medium2025-05-12
CVE-2025-4166 Vault May Include Sensitive Data in Error Logs When Using the KV v2 Plugin — Vault 4.5 Medium2025-05-02
CVE-2025-0049 Disclosure of sensitive information in an error message in GoAnywhere prior to version 7.8.0 — GoAnywhere 3.5 Low2025-04-28
CVE-2025-46575 ZTE GoldenDB Database product has an information disclosure vulnerability — GoldenDB 4.9 Medium2025-04-27
CVE-2025-25045 IBM InfoSphere Information Server information disclosure — InfoSphere Information Server 4.3 Medium2025-04-23
CVE-2025-20150 Cisco Nexus Dashboard Username Enumeration Vulnerability — Cisco Nexus Dashboard 5.3 Medium2025-04-16
CVE-2024-11129 Generation of Error Message Containing Sensitive Information in GitLab — GitLab 6.3 Medium2025-04-10
CVE-2025-32238 WordPress Online Booking & Scheduling Calendar for WordPress by vcita plugin <= 4.5.5 - Sensitive Data Exposure vulnerability — Online Booking & Scheduling Calendar for WordPress by vcita 4.3 Medium2025-04-04
CVE-2025-0279 HCL Traveler is affected by generation of error messages containing sensitive information — HCL Traveler 4.3 Medium2025-04-03
CVE-2023-47639 API Platform Core can leak exceptions message that may contain sensitive information — core 5.3 Medium2025-04-03
CVE-2024-55895 IBM InfoSphere Information Server information disclosure — InfoSphere Information Server 2.7 Low2025-03-29

Vulnerabilities classified as CWE-209 (通过错误消息导致的信息暴露) represent 297 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.