Web Application Vulnerabilities Runtime SCA Findings
Looking for the vulnerability index of Invicti's legacy products?
Invicti Enterprise Acunetix Standard & Premium
GraphQL Unhandled Error Leakage - Vulnerability Database

GraphQL Unhandled Error Leakage

Description

The GraphQL API is exposing detailed exception information, including stack traces and internal error details, through the errors.message.extensions.exception.stack response field. This verbose error handling allows unauthorized users to view sensitive technical information about the application's internal structure, dependencies, and execution flow. Such information disclosure can significantly aid attackers in reconnaissance activities and vulnerability exploitation.

Remediation

1. Implement Centralized Error Handling
Configure your GraphQL server to catch all exceptions and return sanitized error messages to clients. Use a custom error formatter to strip sensitive details:

// Example for Apollo Server (Node.js)
const server = new ApolloServer({
  typeDefs,
  resolvers,
  formatError: (error) => {
    // Log full error details server-side for debugging
    console.error('GraphQL Error:', error);
    
    // Return sanitized error to client
    return {
      message: 'An error occurred processing your request',
      code: error.extensions?.code || 'INTERNAL_SERVER_ERROR',
      // Remove stack traces and sensitive extensions
    };
  },
});

2. Disable Debug Mode in Production
Ensure that debug mode and detailed error reporting are disabled in production environments. Set appropriate environment variables:

// Disable introspection and debug features in production
const server = new ApolloServer({
  introspection: process.env.NODE_ENV !== 'production',
  debug: process.env.NODE_ENV !== 'production',
});

3. Use Environment-Specific Error Responses
Provide detailed errors only in development environments. In production, return generic messages while logging full details server-side for troubleshooting.

4. Implement Proper Exception Handling in Resolvers
Wrap resolver logic in try-catch blocks and throw user-friendly errors:

// Example resolver with proper error handling
const resolvers = {
  Query: {
    user: async (_, { id }) => {
      try {
        return await getUserById(id);
      } catch (error) {
        // Log detailed error server-side
        logger.error('Failed to fetch user:', error);
        // Throw sanitized error to client
        throw new UserInputError('Unable to retrieve user data');
      }
    },
  },
};

5. Review and Test Error Responses
Regularly audit GraphQL error responses to ensure no sensitive information is leaked through error messages, extensions, or custom fields.

References

GraphQL spec

Related Vulnerabilities

ASP.NET CustomErrors Is Disabled Medium
Common tags: Configuration Information Disclosure Error Handling
Tornado debug mode Medium
Common tags: Configuration Information Disclosure Error Handling
Weak password High
Common tags: Configuration Information Disclosure API Misconfiguration
ASP.NET error message Low
Common tags: Configuration Information Disclosure Error Handling
Error page path disclosure Low
Common tags: Configuration Information Disclosure Error Handling

Severity

Medium

Classification

CWE-209
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Tags

Configuration
Information Disclosure
Error Handling
API Misconfiguration