GuardAPI Logo
GuardAPI

Fix Improper Error Handling in CherryPy

Default CherryPy deployments often leak sensitive stack traces and system metadata when unhandled exceptions occur. This is a gift for attackers performing reconnaissance. To secure the application, you must suppress internal verbosity, disable tracebacks in the response body, and implement a centralized error handling strategy that logs the details server-side while returning generic, non-descriptive messages to the client.

The Vulnerable Pattern

import cherrypy

class VulnerableApp:
@cherrypy.expose
def index(self, param):
# VULNERABILITY: If ‘param’ is missing or code fails,
# CherryPy’s default behavior (in dev) leaks a full traceback.
result = 100 / int(param)
return str(result)


if name == ‘main’:
# Default config often leaves show_traceback enabled
cherrypy.quickstart(VulnerableApp())

The Secure Implementation

The fix targets three critical areas: 1. Configuration: Setting 'request.show_traceback' to False ensures the Python stack trace is never sent to the client. 2. Custom Handlers: Defining 'error_page.default' intercepts all unhandled exceptions to return a sanitized, uniform response. 3. Explicit Logging: By using cherrypy.log, we preserve the diagnostic data on the server disk where it belongs, while the user only sees a generic 500 status. This prevents side-channel information leaks regarding the application's internal logic or library versions.

import cherrypy

def handle_error():
# Generic response to prevent info disclosure
cherrypy.response.status = 500
cherrypy.response.body = b’{“error”: “Internal Server Error”, “request_id”: “Check logs”}’


class SecuredApp:
_cp_config = {
‘request.show_traceback’: False,
‘request.show_mismatched_params’: False,
‘error_page.default’: handle_error
}


@cherrypy.expose
@cherrypy.tools.json_out()
def index(self, param=None):
    try:
        if param is None:
            raise cherrypy.HTTPError(400, "Missing parameter")
        return {"result": 100 / int(param)}
    except Exception as e:
        # Log the actual error for developers, but don't show the user
        cherrypy.log("Execution error: %s" % str(e), severity=40)
        raise cherrypy.HTTPError(500)


if name == ‘main’:
cherrypy.config.update({‘engine.autoreload.on’: False})
cherrypy.quickstart(SecuredApp())

System Alert • ID: 6221
Target: CherryPy API
Potential Vulnerability

Your CherryPy API might be exposed to Improper Error Handling

74% of CherryPy apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.

RUN FREE SECURITY DIAGNOSTIC
GuardLabs Engine: ONLINE

Free Tier • No Credit Card • Instant Report

Verified by Ghost Labs Security Team

This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.

About GuardLabs → Follow us on X