logo

Database

Javascript Error Handler Used In Production

Description

Identifies Express.js applications with debug mode enabled in production environments. When debug mode is enabled in production, it can expose sensitive application details and stack traces to potential attackers through error messages.

Weakness:

183 - Debugging enabled in production

Category: Functionality Abuse

Detection Strategy

    Check Express.js application configuration files and middleware setup for debug mode settings

    Look for debug configuration options set to true/enabled in production environment

    Examine error handling middleware for production environment checks

    Flag cases where detailed error messages or stack traces might be exposed to users

Vulnerable code example

const express = require('express');
const errorhandler = require('errorhandler');

const app = express();

app.use(errorhandler()); // Vulnerable: exposes detailed error info in production

✅ Secure code example

const express = require('express');
const errorhandler = require('errorhandler');

const app = express();

// Only enable detailed error handling in development
if (process.env.NODE_ENV === 'development') {
    app.use(errorhandler()); // Safe: only shows detailed errors in dev environment...