- Context: Cloud / Both
- Category: Data Leakage / Vulnerability (Information Disclosure)
- Severity: Medium
Evidence
// app/api/oauth/token/route.ts
const errorData = await tokenResponse.text();
console.error("Token exchange failed:", errorData);
return NextResponse.json(
{ error: "Token exchange failed", details: errorData }, // <-- raw upstream error
{ status: tokenResponse.status }
);// app/api/valyu-proxy/route.ts
return NextResponse.json(
{ error: "proxy_error", message: errorData.message || "Request failed", details: errorData },
{ status: response.status }
);Raw error bodies from Valyu's auth server and proxy are forwarded directly to the browser. These can include internal error codes, stack traces from Valyu's backend, or partial JWT information.
Affected files: app/api/oauth/token/route.ts, app/api/valyu-proxy/route.ts
Evidence
Raw error bodies from Valyu's auth server and proxy are forwarded directly to the browser. These can include internal error codes, stack traces from Valyu's backend, or partial JWT information.
Affected files:
app/api/oauth/token/route.ts,app/api/valyu-proxy/route.ts