Javascript All Errors Enabled
Description
Detects insecure configuration of Ajv schema validator where allErrors option is enabled. This can lead to information disclosure as error messages may expose sensitive schema and data structure details when validation fails.
Detection Strategy
• Look for Ajv schema validator initialization or configuration in JavaScript/TypeScript code
• Check if allErrors property is set to true in the configuration options
• Report vulnerability if allErrors is enabled without proper error message sanitization
• Flag instances where allErrors configuration could expose detailed validation errors to users
Vulnerable code example
import Ajv from 'ajv';
// Vulnerable: allErrors:true can expose sensitive data in validation errors
const ajv = new Ajv({ allErrors: true });
// Also vulnerable: passing config object with allErrors:true
const config = { allErrors: true };
const ajv2 = new Ajv(config);✅ Secure code example
import Ajv from 'ajv';
// Safe: Disable allErrors to prevent exposing sensitive data in validation errors
const ajv = new Ajv({ allErrors: false });
// Safe: Use minimal configuration with default false for allErrors
const config = { }; // Default allErrors is false
const ajv2 = new Ajv(config);...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.