What is Information Disclosure? Sensitive Data Exposure Explained

Sensitive Data Exposure (Information Disclosure)

Information disclosure occurs when an application exposes sensitive internal data to users who should not have access to it. This includes stack traces, database error messages, environment variables, internal paths, and user data leaked through verbose responses. It is classified under CWE-200 (Exposure of Sensitive Information) and CWE-209 (Generation of Error Message Containing Sensitive Information).

What is Information Disclosure?

Hit a bad route in your app and the response dumps a full stack trace — file paths, database connection strings, the ORM version, maybe even a snippet of your .env. That's information disclosure.

It doesn't always look dramatic. Sometimes it's an API response that returns 20 fields when the frontend only uses 3. Sometimes it's an error message that says column 'password_hash' does not exist — telling an attacker exactly what your schema looks like.

Information disclosure is classified under CWE-200 (Exposure of Sensitive Information) and CWE-209 (Error Messages Containing Sensitive Info). On its own it might seem low-severity, but it's the recon step that makes every other attack easier.

How does Information Disclosure work?

The most common pattern: your error handler catches an exception and sends the full error object back to the client. In development, this is helpful. In production, it hands attackers a map of your internals.

Here's what this looks like in a typical API route:

Vulnerable — full error details sent to client

// app/api/users/[id]/route.ts
export async function GET(req, { params }) {
  try {
    const user = await db.user.findUnique({
      where: { id: params.id },
    });
    return Response.json(user);
  } catch (error) {
    // Problem: sends stack trace, DB details,
    // and internal paths to the client.
    return Response.json(
      { error: error.message, stack: error.stack },
      { status: 500 },
    );
  }
}

Fixed — generic message to client, details to logs

// app/api/users/[id]/route.ts
export async function GET(req, { params }) {
  try {
    const user = await db.user.findUnique({
      where: { id: params.id },
    });

    // Only return the fields the client needs.
    const { id, name, avatar } = user;
    return Response.json({ id, name, avatar });
  } catch (error) {
    // Log the full error server-side.
    console.error('User fetch failed:', {
      userId: params.id,
      error: error.message,
    });

    // Send a generic message to the client.
    return Response.json(
      { error: 'Something went wrong' },
      { status: 500 },
    );
  }
}

Why do AI tools generate Information Disclosure vulnerabilities?

AI-generated code is built for development speed. Error handling that's helpful during debugging becomes a liability in production — and the model rarely makes the distinction.

Dev-friendly error handling ships to production. Models generate <code>catch (e) { res.json({ error: e.message }) }</code> because that's what tutorials show. Nobody prompts for "production-safe error handling."
SELECT * is the default. When the model writes a database query, it fetches everything. The API response includes fields like <code>password_hash</code>, <code>internal_notes</code>, and <code>created_by_ip</code> — data the frontend never uses but attackers love.
No environment awareness. The model doesn't know if the code will run in development or production. It generates one error handler for both, and it's always the verbose one.

Information disclosure is rarely the main vulnerability — but it makes every other attack cheaper. A leaked schema tells attackers which tables to target. A stack trace reveals the framework version and its known CVEs.

Common Information Disclosure patterns

Stack traces in error responses

500 errors that include file paths, line numbers, and dependency versions.

Verbose API responses

Endpoints returning full database rows — including internal fields like password hashes and API keys.

Debug headers left in production

X-Powered-By, Server, and custom debug headers that reveal framework, version, and infrastructure.

Detailed validation errors

Messages like "column email must be unique" or "foreign key constraint on org_id failed" that expose schema details.

How Flowpatrol detects Information Disclosure

Flowpatrol checks for information leaks the same way a real attacker would — by poking your app and reading what comes back:

1Triggers error conditions — sends malformed IDs, missing parameters, and invalid types to every endpoint.
2Inspects error responses for stack traces, internal paths, database details, and framework fingerprints.
3Analyzes API responses for over-exposed fields — data that the frontend never renders but the API still returns.
4Checks response headers for debug info, server versions, and framework identifiers that should be stripped in production.

Information disclosure is easy to miss because the app still works fine. Flowpatrol catches what manual testing overlooks.

Check your app for information leaks.

Flowpatrol finds the data your app is giving away. Paste your URL and see what comes back.

Try it free

Sensitive Data Exposure (Information Disclosure)

What is Information Disclosure?

Hit a bad route in your app and the response dumps a full stack trace — file paths, database connection strings, the ORM version, maybe even a snippet of your .env. That's information disclosure.

How does Information Disclosure work?

Here's what this looks like in a typical API route:

Vulnerable — full error details sent to client

// app/api/users/[id]/route.ts
export async function GET(req, { params }) {
  try {
    const user = await db.user.findUnique({
      where: { id: params.id },
    });
    return Response.json(user);
  } catch (error) {
    // Problem: sends stack trace, DB details,
    // and internal paths to the client.
    return Response.json(
      { error: error.message, stack: error.stack },
      { status: 500 },
    );
  }
}

Fixed — generic message to client, details to logs

// app/api/users/[id]/route.ts
export async function GET(req, { params }) {
  try {
    const user = await db.user.findUnique({
      where: { id: params.id },
    });

    // Only return the fields the client needs.
    const { id, name, avatar } = user;
    return Response.json({ id, name, avatar });
  } catch (error) {
    // Log the full error server-side.
    console.error('User fetch failed:', {
      userId: params.id,
      error: error.message,
    });

    // Send a generic message to the client.
    return Response.json(
      { error: 'Something went wrong' },
      { status: 500 },
    );
  }
}

Why do AI tools generate Information Disclosure vulnerabilities?

AI-generated code is built for development speed. Error handling that's helpful during debugging becomes a liability in production — and the model rarely makes the distinction.

Dev-friendly error handling ships to production. Models generate <code>catch (e) { res.json({ error: e.message }) }</code> because that's what tutorials show. Nobody prompts for "production-safe error handling."
SELECT * is the default. When the model writes a database query, it fetches everything. The API response includes fields like <code>password_hash</code>, <code>internal_notes</code>, and <code>created_by_ip</code> — data the frontend never uses but attackers love.
No environment awareness. The model doesn't know if the code will run in development or production. It generates one error handler for both, and it's always the verbose one.

Common Information Disclosure patterns

Stack traces in error responses

500 errors that include file paths, line numbers, and dependency versions.

Verbose API responses

Endpoints returning full database rows — including internal fields like password hashes and API keys.

Debug headers left in production

X-Powered-By, Server, and custom debug headers that reveal framework, version, and infrastructure.

Detailed validation errors

Messages like "column email must be unique" or "foreign key constraint on org_id failed" that expose schema details.

How Flowpatrol detects Information Disclosure

Flowpatrol checks for information leaks the same way a real attacker would — by poking your app and reading what comes back:

1Triggers error conditions — sends malformed IDs, missing parameters, and invalid types to every endpoint.
2Inspects error responses for stack traces, internal paths, database details, and framework fingerprints.
3Analyzes API responses for over-exposed fields — data that the frontend never renders but the API still returns.
4Checks response headers for debug info, server versions, and framework identifiers that should be stripped in production.

Information disclosure is easy to miss because the app still works fine. Flowpatrol catches what manual testing overlooks.

Sensitive Data Exposure (Information Disclosure)