CWE-209 Information Exposure Through Error Message

Description

Information Exposure Through Error Message

Reference: https://cwe.mitre.org/data/definitions/209.html

OWASP Category: A09:2021 – Security Logging and Monitoring Failures

---

Vulnerable Pattern

❌ Example 1: Vulnerable Pattern

// VULNERABLE: Exposing internal details
@ExceptionHandler(Exception.class)
public ResponseEntity<String> handleError(Exception e) {
    return ResponseEntity.status(500)
        .body("Error: " + e.getMessage() + "\n" +
              Arrays.toString(e.getStackTrace()));
}

try {
    // database operation
} catch (SQLException e) {
    return "Database error: " + e.getMessage();  // Exposes DB details
}

Why it's vulnerable: This pattern is vulnerable to Information Exposure Through Error Message

---

Deterministic Fix

✅ Secure Implementation: Secure Implementation

// SECURE: Generic error messages with logged details
@ExceptionHandler(Exception.class)
public ResponseEntity<ErrorResponse> handleError(Exception e) {
    String errorId = UUID.randomUUID().toString();
    logger.error("Error [{}]: {}", errorId, e.getMessage(), e);

    return ResponseEntity.status(500)
        .body(new ErrorResponse(
            "An internal error occurred",
            errorId  // Reference ID for support
        ));
}

try {
    // database operation
} catch (SQLException e) {
    logger.error("Database error", e);
    throw new ServiceException("Unable to process request");
}

Why it's secure: Implements proper protection against Information Exposure Through Error Message

---

Detection Pattern

Look for these patterns in your codebase:

# Find stack trace exposure
grep -rn "getStackTrace\|printStackTrace" --include="*.java" | grep -E "response|return"

---

Remediation Steps

1. Return generic error messages to users

2. Log detailed errors server-side with correlation IDs

3. Configure global exception handlers

4. Remove stack traces from production responses

---

Key Imports

import org.slf4j.Logger;

---

Verification

After remediation:

• Run SAST scanner to confirm vulnerability is resolved

• Review all instances of the vulnerable pattern

• Add unit tests that verify the secure implementation

• Check for similar patterns in related code

---

Trigger Examples

Fix CWE-209 vulnerability
Resolve Information Exposure Through Error Message issue
Secure this Java code against information exposure through error message
SAST reports CWE-209

---

Common Vulnerable Locations

Layer	Files	Patterns

| Controller | *Controller.java | User input handling |

| Service | *Service.java | Business logic |

| Repository | *Repository.java | Data access |

---

References

• CWE-209: Error Message Exposure

---

Source: Generated by Java CWE Security Skills Generator Last Updated: 2026-03-07