DEF-029 — Server exposes full internal stack traces in error responses

Backend
High severity
Security
New
Defect DEF-029 — Severity: High · Status: New
Published

2026-06-17

DEF-029 — Server exposes full internal stack traces in error responses

Summary

When a request hits an unhandled route or triggers an unhandled exception, the server returns a full Laravel debug dump in the response body. This includes absolute server file paths, framework class names, line numbers, and the complete call stack from the web server entry point through every middleware layer. This information is directly useful to an attacker mapping the server environment.

Environment

  • Platform: DriveLink Backend API
  • Server: https://project6.dxtserver.com/drivelink_new/public/api/v1
  • Area: Security / Error Handling
  • Date Reported: 2026-06-17
  • Testing Phase: Backend API Testing

Steps to Reproduce

  1. Send any request to a route that does not exist, e.g.:
GET /api/v1/vehicles/56
Authorization: Bearer <valid_token>
  1. Inspect the response body.

Expected Behaviour

A clean JSON error response with no internal details:

{
  "status": "0",
  "message": "Not found."
}

Actual Behaviour

Full Laravel debug output, including: - Absolute server file path: /home/project6/public_html/drivelink_new/vendor/laravel/... - Exception class name and framework internals - Line numbers within framework source files - 25+ stack frames from index.php through every middleware

{
  "message": "The route api/v1/vehicles/56 could not be found.",
  "exception": "Symfony\\Component\\HttpKernel\\Exception\\NotFoundHttpException",
  "file": "/home/project6/public_html/drivelink_new/vendor/laravel/framework/src/Illuminate/Routing/AbstractRouteCollection.php",
  "line": 44,
  "trace": [ ... ]
}

Root Cause

The Laravel application is running with APP_DEBUG=true on a publicly accessible server. This setting should only ever be enabled in local development environments.

Fix

Set APP_DEBUG=false in the server’s .env file and restart the application. This is a single-line change and requires no code modifications.

Impact

  • Discloses the exact server directory layout (/home/project6/public_html/drivelink_new/)
  • Reveals the Laravel version and loaded middleware chain
  • Provides a detailed internal map of the application structure to any unauthenticated caller — the stack trace is returned before any auth check
  • This vulnerability is triggered by at least 15 currently unimplemented routes (see DEF-030), meaning any caller probing the API surface receives this data automatically
  • Classified as CWE-209: Generation of Error Message Containing Sensitive Information

Severity

High (Security)

Status

New

Reported By

QA / Testing Team