Quality: Error messages leak internal details to clients #113

New issue

Open

opened 2026-05-11 13:50:41 +00:00 by thabeta · 0 comments

thabeta commented 2026-05-11 13:50:41 +00:00

Owner

Copy link

Severity: Medium

Location

Multiple handlers across api_openrouter/ and api_openrpc/

Finding

Error responses often include internal details:

• Provider error messages forwarded directly to clients\n- Stack traces in error responses\n- Internal URLs and socket paths in error messages\n- Key pool status exposed in error responses

Impact

• Information disclosure about internal architecture\n- Provider error messages may contain sensitive data\n- Attackers can use error details for reconnaissance

Recommendation

• Sanitize error messages before sending to clients\n- Use structured error responses with error codes\n- Log internal details, return generic messages to clients\n- Add error sanitization middleware

## Severity: Medium ## Location Multiple handlers across `api_openrouter/` and `api_openrpc/` ## Finding Error responses often include internal details: - Provider error messages forwarded directly to clients\n- Stack traces in error responses\n- Internal URLs and socket paths in error messages\n- Key pool status exposed in error responses ## Impact - Information disclosure about internal architecture\n- Provider error messages may contain sensitive data\n- Attackers can use error details for reconnaissance ## Recommendation - Sanitize error messages before sending to clients\n- Use structured error responses with error codes\n- Log internal details, return generic messages to clients\n- Add error sanitization middleware

thabeta added the

type_bug

prio_low

labels 2026-05-11 13:50:41 +00:00

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

development

development_align_chat_drop_sdk_specs

development_drop_stale_openrpc_artifacts

main

lab-latest

v0.1.1

v0.1.0

Labels

Clear labels   

prio_critical

  

prio_low

  

type_bug

  

type_contact

  

type_issue

  

type_lead

  

type_question

  

type_story

  

type_task

No labels

prio_critical

prio_low

type_bug

type_contact

type_issue

type_lead

type_question

type_story

type_task

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

lhumina_code/hero_aibroker#113

No description provided.