Typescript Error Handler Used In Production
Description
Detects Express.js applications with debug mode or detailed error handlers enabled in production environments. When debug mode is enabled in production, it can expose sensitive application details and internal errors to potential attackers, creating a security risk.
Detection Strategy
• Inspects Express.js application configuration settings for debug mode flags or error handler configurations
• Checks if app.use() calls include error handlers that expose detailed error information
• Examines environment configurations to identify debug settings enabled in production contexts
• Reports a vulnerability when debug features or detailed error handlers are enabled in production environment settings
Vulnerable code example
import express from 'express';
import errorhandler from 'errorhandler';
const app = express();
// Vulnerable: errorhandler middleware exposes detailed error info in production
app.use(errorhandler());✅ Secure code example
import express from 'express';
import errorhandler from 'errorhandler';
const app = express();
// Only use errorhandler in development environment to avoid exposing sensitive details
if (process.env.NODE_ENV === 'development') {
app.use(errorhandler());...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.