CWE-200HighMITRE entry

Sensitive Data Exposure

Exposure of Sensitive Information to an Unauthorized Actor

What it is

CWE-200 is a broad category covering any path that reveals sensitive information (credentials, tokens, internal identifiers, PII, business secrets, stack traces) to a party that should not have access. The disclosure can be active (an endpoint returns the data) or passive (a log file or cache stores it).

Why it matters

Most disclosed breaches involve a CWE-200 leak somewhere in the chain: stack traces that reveal database schema, debug endpoints returning environment variables, error messages that enumerate users, log files that capture authentication tokens, or response bodies that include fields the API was not supposed to return. Modern privacy regulations (GDPR Article 33, HIPAA 164.408, PCI-DSS 12.10) impose disclosure timelines that start the moment a CWE-200 exposure is detected.

Common patterns

  • Returning raw exception objects, stack traces, or DEBUG=True output to clients in production.
  • Logging request bodies that contain passwords, tokens, or credit card numbers.
  • Including internal IDs, database row counts, or schema hints in error responses.
  • User enumeration via different error messages for valid vs invalid usernames.
  • Response serialization that includes server-only fields (password hash, isInternal flag).
  • Debug or admin endpoints (/debug, /healthz with full env dump, /admin/users) accessible without authentication.

Languages affected

PythonJavaScriptTypeScriptRubyJavaGoPHPC#

What Deva detects

Deva detects framework debug flags (DEBUG=True in Flask/Django settings, app.debug=true in Express), error handlers that return err.stack or e.__traceback__ to clients, logger.info calls with arguments containing recognized credential patterns (Authorization headers, password fields, AWS keys), and response serialization where the model includes sensitive fields without an explicit allowlist. The scanner also flags routes named /debug, /healthz, /metrics, or /admin without authentication middleware.

Example

Vulnerable

from flask import Flask, jsonify, request

app = Flask(__name__)
app.config['DEBUG'] = True

@app.errorhandler(Exception)
def handle(e):
    return jsonify({
        'error': str(e),
        'type': type(e).__name__,
        'traceback': str(e.__traceback__),
        'request_body': request.get_data(as_text=True),
    }), 500

Fixed

import logging
from flask import Flask, jsonify
from werkzeug.exceptions import HTTPException

app = Flask(__name__)
app.config['DEBUG'] = False  # Never True in production
logger = logging.getLogger(__name__)

@app.errorhandler(HTTPException)
def handle_http(e):
    # HTTP errors return their status code with a generic message.
    return jsonify({'error': e.name}), e.code

@app.errorhandler(Exception)
def handle_generic(e):
    # Log the full exception server-side with a correlation id.
    correlation_id = request.headers.get('X-Request-Id', 'unknown')
    logger.exception('Unhandled exception', extra={'correlation_id': correlation_id})
    # Return generic error to the client; no stack trace, no request echo.
    return jsonify({'error': 'Internal server error', 'correlation_id': correlation_id}), 500

Explanation

The vulnerable handler returns the full exception chain and the entire request body to whoever triggered the error. An attacker fuzzing inputs harvests stack traces that reveal database schemas, file paths, and library versions. The fix disables DEBUG, logs server-side, returns a generic error code with a correlation id, and separates HTTP errors (safe to surface) from unexpected exceptions (never surface). The correlation id lets support staff find the underlying error in logs without exposing it to the client.

Where this fits in OWASP Top 10

A02
Cryptographic Failures
Sensitive data exposed because cryptography is missing, weak, or misused.
A05
Security Misconfiguration
Insecure defaults, unnecessary features, or misapplied permissions left in production.

Compliance framework mapping

FrameworkControls
OWASP Top 10 (2021)
A01:2021 Broken Access ControlA02:2021 Cryptographic Failures
NIST 800-53 Rev 5
SI-11 Error HandlingAU-9 Protection of Audit Information
PCI-DSS v4.0
3.4 Mask PAN6.5.5 Improper error handling
HIPAA Security Rule
164.312(c)(1) Integrity
GDPR
Article 32 Security of processingArticle 33 Notification of breach

Related CWEs

CWE-209Generation of error message containing sensitive information.
CWE-532Insertion of sensitive information into log files.
CWE-215Insertion of sensitive information into debugging information.
CWE-311Missing encryption of sensitive data.

Deva detects CWE-200 alongside 970+ other CWE patterns at write time, with AI-assisted fix generation that maintains compliance.

Try DevaBack to CWE index