Will It Vibe logoWill It Vibe?
EXPRESS-021Medium severity-8 points

Raw error or stack trace returned to the client

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.

What it detects

res.send / res.json is called with a raw error object or err.stack, leaking file paths, dependency versions, and internal structure to the caller.

Why it matters

Returning a raw error object or err.stack to the client leaks internal detail: absolute file paths, dependency and framework versions, database structure, and sometimes secret values embedded in messages. Attackers use that information to map your stack and target known vulnerabilities. Clients only need a generic message and a status code.

How to fix it

Log the full error server-side, then respond with a generic message and an appropriate status code. Centralize this in the error-handling middleware so every route behaves the same, and make sure NODE_ENV is production so the framework does not add its own stack traces. Return structured error codes to clients instead of raw exception text.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks