GuardAPI Logo
GuardAPI

Fix Improper Error Handling in ElysiaJS

Improper error handling in ElysiaJS apps is a reconnaissance gift. Defaulting to raw stack traces or database driver exceptions leaks internal architecture, file paths, and dependency versions. To harden an Elysia instance, you must implement a global error handler that sanitizes output while maintaining internal audit logs.

The Vulnerable Pattern

import { Elysia } from 'elysia';

const app = new Elysia()
.get(‘/user/:id’, async ({ params }) => {
// VULNERABLE: Direct exposure of internal logic/errors
const data = await fetchUserFromDb(params.id);
if (!data) {
// This might leak DB connection strings or schema details if the driver throws
throw new Error(Failed to connect to PG_CLUSTER at 10.0.4.2:5432 for user ${params.id});
}
return data;
})
.listen(3000);

The Secure Implementation

The fix involves three layers of defense. First, use Elysia's .error() hook to register custom exception classes, allowing for granular control over error types. Second, implement the .onError() life-cycle hook to intercept all exceptions before they reach the client. This hook acts as a security proxy: it logs the full, dangerous stack trace to a secure internal sink (stdout/file) and returns a sanitized JSON object with a generic message to the user. Finally, ensure the 'set.status' is explicitly defined to prevent status code sniffing.

import { Elysia, t } from 'elysia';

// Define custom error types for internal mapping
class DatabaseError extends Error {
constructor(message) { super(message); this.name = ‘DatabaseError’; }
}


const app = new Elysia()
.error({
DB_ERROR: DatabaseError
})
.onError(({ code, error, set }) => {
// 1. Log the sensitive details internally for debugging
console.error([SEC-AUDIT] ${code}: ${error.message});


// 2. Map internal failures to generic, safe public messages
switch (code) {
  case 'DB_ERROR':
    set.status = 500;
    return { status: 'fail', message: 'Internal persistence failure' };
  case 'NOT_FOUND':
    set.status = 404;
    return { status: 'fail', message: 'Resource not found' };
  case 'VALIDATION':
    set.status = 400;
    return { status: 'fail', errors: error.all };
  default:
    set.status = 500;
    return { status: 'error', message: 'An unexpected error occurred' };
}


})
.get(‘/user/:id’, async ({ params }) => {
try {
const data = await fetchUserFromDb(params.id);
return data;
} catch (e) {
throw new DatabaseError(‘Sensitive connection details hidden’);
}
})
.listen(3000);

System Alert • ID: 3563
Target: ElysiaJS API
Potential Vulnerability

Your ElysiaJS API might be exposed to Improper Error Handling

74% of ElysiaJS apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.

RUN FREE SECURITY DIAGNOSTIC
GuardLabs Engine: ONLINE

Free Tier • No Credit Card • Instant Report

Verified by Ghost Labs Security Team

This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.

About GuardLabs → Follow us on X