Raw error or stack trace returned to the client
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.
What it detects
res.send / res.json is called with a raw error object or err.stack, leaking file paths, dependency versions, and internal structure to the caller.
Why it matters
Returning a raw error object or err.stack to the client leaks internal detail: absolute file paths, dependency and framework versions, database structure, and sometimes secret values embedded in messages. Attackers use that information to map your stack and target known vulnerabilities. Clients only need a generic message and a status code.
How to fix it
Log the full error server-side, then respond with a generic message and an appropriate status code. Centralize this in the error-handling middleware so every route behaves the same, and make sure NODE_ENV is production so the framework does not add its own stack traces. Return structured error codes to clients instead of raw exception text.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo