SECR-004: Stack Traces in Error Pages ¶
1 Status ¶
| Date | Status | |
|---|---|---|
| 02-07-2026 | Identified | |
| 04-07-2026 | Analysed | |
| ▶ | 06-07-2026 | Accepted |
2 Threat ¶
An attacker maps the product's internals — framework versions, file paths, query shapes — from the diagnostic detail leaked in error responses.
3 Vulnerability ¶
Unhandled exceptions return the full stack trace to the client when the deployment flag is left in development mode.
4 CVSS Vector ¶
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
5 CVSS Score ¶
6 Mitigation ¶
Accepted for this release with a compensating control: the deployment checklist verifies the production flag, and error responses are sampled in the smoke test. A framework-level generic error page is scheduled for the next release.
7 Monitoring ¶
The smoke test asserts that a forced error returns the generic page in every deployment.