GuardAPI Logo
GuardAPI

Fix Improper Error Handling in Feathers

Information disclosure via verbose error messages is a low-hanging fruit for any pentester. In FeathersJS, default error objects can leak stack traces, internal file paths, and database schemas if not explicitly handled. Hardening the error response layer is a critical step in preventing reconnaissance during an attack.

The Vulnerable Pattern

const feathers = require('@feathersjs/feathers');
const express = require('@feathersjs/express');

const app = express(feathers());


// VULNERABLE: Custom middleware that sends the raw error object to the client
app.use((err, req, res, next) => {
// This leaks stack traces and internal metadata to the requester
res.status(err.code || 500).json(err);
});

The Secure Implementation

The vulnerability occurs because the raw Error object in Node.js contains sensitive debugging information. In FeathersJS, the 'data' property of an error often contains raw database driver errors (like SQL syntax errors or MongoDB connection strings). The fix involves using the @feathersjs/express/errors middleware and providing a custom formatter. This formatter checks the NODE_ENV environment variable; if set to 'production', it explicitly removes the 'stack' and 'data' properties, ensuring an attacker only sees a generic error code and message.

const express = require('@feathersjs/express');
const { GeneralError } = require('@feathersjs/errors');

const app = express();


// SECURE: Use the built-in Feathers error handler with production-safe configuration
app.use(express.errorHandler({
logger: console,
html: false, // Prevents HTML-based XSS/Injection in error pages
formatter: (err) => {
// Sanitize the response object
const isProd = process.env.NODE_ENV === ‘production’;
return {
name: err.name,
message: err.message,
code: err.code,
// Only reveal stack and internal data in dev/test
stack: isProd ? undefined : err.stack,
data: isProd ? undefined : err.data
};
}
}));

System Alert • ID: 2852
Target: Feathers API
Potential Vulnerability

Your Feathers API might be exposed to Improper Error Handling

74% of Feathers apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.

RUN FREE SECURITY DIAGNOSTIC
GuardLabs Engine: ONLINE

Free Tier • No Credit Card • Instant Report

Verified by Ghost Labs Security Team

This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.

About GuardLabs → Follow us on X