Summary
Exception messages from underlying libraries (aiohttp, requests) are directly included in API responses. These messages may contain internal paths, hostnames, or stack traces.
Affected Projects
- pfsense-mcp
- truenas-mcp
- proxmox-mcp
Vulnerability Details
An attacker could trigger various error conditions to gather information about the server's internal architecture, library versions, network topology, and potential vulnerabilities.
Example
raise TrueNASAPIError(f"API request failed: {response.status} - {error_text}")Recommended Fix
- Log full exception details server-side
- Return generic error messages to clients (e.g., "Connection failed" instead of full exception text)
- Implement error code mapping to user-friendly messages
References
- CWE-209 (Generation of Error Message Containing Sensitive Information)
🤖 Generated with Claude Code
Summary
Exception messages from underlying libraries (aiohttp, requests) are directly included in API responses. These messages may contain internal paths, hostnames, or stack traces.
Affected Projects
Vulnerability Details
An attacker could trigger various error conditions to gather information about the server's internal architecture, library versions, network topology, and potential vulnerabilities.
Example
Recommended Fix
References
🤖 Generated with Claude Code