Skip to content

Detailed third-party error responses forwarded to the client #36

Open
Open
Detailed third-party error responses forwarded to the client#36
@Hag-Zilla

Description

@Hag-Zilla
Hag-Zilla
opened on Apr 2, 2026
  • Context: Cloud / Both
  • Category: Data Leakage / Vulnerability (Information Disclosure)
  • Severity: Medium

Evidence

// app/api/oauth/token/route.ts
const errorData = await tokenResponse.text();
console.error("Token exchange failed:", errorData);
return NextResponse.json(
  { error: "Token exchange failed", details: errorData },  // <-- raw upstream error
  { status: tokenResponse.status }
);
// app/api/valyu-proxy/route.ts
return NextResponse.json(
  { error: "proxy_error", message: errorData.message || "Request failed", details: errorData },
  { status: response.status }
);

Raw error bodies from Valyu's auth server and proxy are forwarded directly to the browser. These can include internal error codes, stack traces from Valyu's backend, or partial JWT information.

Affected files: app/api/oauth/token/route.ts, app/api/valyu-proxy/route.ts

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions