Information Disclosure
Information disclosure occurs when an application unintentionally exposes sensitive data that aids attackers in reconnaissance or directly compromises security.
How It Works
Information disclosure occurs when an application unintentionally exposes sensitive data that aids attackers in reconnaissance or directly compromises security. This happens through multiple channels: verbose error messages that display stack traces revealing internal paths and frameworks, improperly secured debug endpoints left active in production, and misconfigured servers that expose directory listings or version control artifacts like .git folders. APIs often leak excessive data in responses—returning full user objects when only a name is needed, or revealing system internals through metadata fields.
Attackers exploit these exposures systematically. They probe for common sensitive files (.env, config.php, backup archives), trigger error conditions to extract framework details, and analyze response timing or content differences to enumerate valid usernames or resources. Even subtle variations—like "invalid password" versus "user not found"—enable account enumeration. Exposed configuration files frequently contain database credentials, API keys, or internal service URLs that unlock further attack vectors.
The attack flow typically starts with passive reconnaissance: examining HTTP headers, JavaScript bundles, and public endpoints for version information and architecture clues. Active probing follows—testing predictable paths, manipulating parameters to trigger exceptions, and comparing responses across similar requests to identify information leakage patterns.
Impact
- Credential compromise: Exposed configuration files, hardcoded secrets in source code, or API keys enable direct authentication bypass
- Attack surface mapping: Stack traces, framework versions, and internal paths help attackers craft targeted exploits for known vulnerabilities
- Data breach: Direct exposure of user data, payment information, or proprietary business logic through oversharing APIs or accessible backups
- Privilege escalation pathway: Internal URLs, service discovery information, and architecture details facilitate lateral movement and SSRF attacks
- Compliance violations: GDPR, PCI-DSS, and HIPAA penalties for exposing regulated data through preventable disclosures
Real-World Examples
A major Git repository exposure affected thousands of websites when .git folders remained accessible on production servers, allowing attackers to reconstruct entire source code histories including deleted commits containing credentials. Tools like GitDumper automated mass exploitation of this misconfiguration.
Cloud storage misconfigurations have repeatedly exposed sensitive data when companies left S3 buckets or Azure Blob containers publicly readable. One incident exposed 150 million voter records because verbose API error messages revealed the storage URL structure, and no authentication was required.
Framework debug modes left enabled in production have caused numerous breaches. Django's DEBUG=True setting exposed complete stack traces with database queries and environment variables, while Laravel's debug pages revealed encryption keys through the APP_KEY variable in environment dumps.
Mitigation
- Generic error pages: Return uniform error messages to users; log detailed exceptions server-side only
- Disable debug modes: Enforce production configurations that suppress stack traces, verbose logging, and debug endpoints through deployment automation
- Access control audits: Restrict or remove development artifacts (
.git, backup files,phpinfo()) and internal endpoints before deployment - Response minimization: API responses should return only necessary fields; implement allowlists rather than blocklists for data exposure
- Security headers: Deploy
X-Content-Type-Options, remove server version banners, and disable directory indexing - Timing consistency: Ensure authentication and validation responses take uniform time regardless of input validity
Recent CVEs (13304)
In the Linux kernel, the following vulnerability has been resolved: firmware: arm_scmi: Balance device refcount when destroying devices Using device_find_child() to lookup the proper SCMI device to. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. This Memory Leak vulnerability could allow attackers to exhaust available memory leading to denial of service.
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix the inode leak in btrfs_iget() [BUG] There is a bug report that a syzbot reproducer can lead to the following busy inode. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. This Memory Leak vulnerability could allow attackers to exhaust available memory leading to denial of service.
In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix slab-use-after-free in hdcp The HDCP code in amdgpu_dm_hdcp.c copies pointers to amdgpu_dm_connector objects. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. This Use After Free vulnerability could allow attackers to access freed memory to execute arbitrary code or crash the application.
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. No vendor patch available.
In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free in session logoff The sess->user object can currently be in use by another thread, for example if another. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available.
In the Linux kernel, the following vulnerability has been resolved: powerpc64/ftrace: fix module loading without patchable function entries get_stubs_size assumes that there must always be at least. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.
In the Linux kernel, the following vulnerability has been resolved: spi: spi-mem: Add fix to avoid divide error For some SPI flash memory operations, dummy bytes are not mandatory. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.
In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Fix error handling path in bnxt_init_chip() WARN_ON() is triggered in __flush_work() if bnxt_init_chip() fails because we. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.
A vulnerability has been found in Netgear DGND3700 1.1.00.15_1.00.15NA and classified as problematic. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
TYPO3 is an open source, PHP based web content management system. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
An issue in Zalo v23.09.01 allows attackers to obtain sensitive user information via a crafted GET request. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A vulnerability, which was classified as problematic, has been found in Netgear DGND3700 1.1.00.15_1.00.15NA. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
VMware Cloud Foundation contains an information disclosure vulnerability. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In the Linux kernel, the following vulnerability has been resolved: mtd: inftlcore: Add error check for inftl_read_oob() In INFTL_findwriteunit(), the return value of inftl_read_oob() need to be. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity.
A passback vulnerability which relates to office/small office multifunction printers and laser printers. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A passback vulnerability which relates to production printers and office multifunction printers. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A vulnerability exists in PX Backup whereby sensitive information may be logged under specific conditions. Rated high severity (CVSS 8.4), this vulnerability is low attack complexity. No vendor patch available.
samlify is a Node.js library for SAML single sign-on. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
OpenPGP.js is a JavaScript implementation of the OpenPGP protocol. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Gardener implements the automated management and operation of Kubernetes clusters as a service. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Gardener implements the automated management and operation of Kubernetes clusters as a service. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in mojoomla WPAMS allows PHP Local File Inclusion.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Gardener External DNS Management is an environment to manage external DNS entries for a kubernetes cluster. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Solid Plugins AnalyticsWP allows Retrieve Embedded Sensitive Data.1.2. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
ConnectWise-Password-Encryption-Utility.exe in ConnectWise Risk Assessment allows an attacker to extract a hardcoded AES decryption key via reverse engineering. Rated medium severity (CVSS 6.0), this vulnerability is low attack complexity. No vendor patch available.
A permissions issue was addressed with additional restrictions. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.
A logic issue was addressed with improved checks. Rated low severity (CVSS 3.3), this vulnerability is low attack complexity. No vendor patch available.
The issue was addressed with improved memory handling. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.
The configuration initialization tool in OpenVPN 3 Linux v20 through v24 on Linux allows a local attacker to use symlinks pointing at an arbitrary directory which will change the ownership and. Rated medium severity (CVSS 6.2), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Rejected reason: Unused CVE record, incorrectly reserved. No vendor patch available.
a-blog cms multiple versions neutralize logs improperly. Rated low severity (CVSS 2.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
V-SFT v6.2.5.0 and earlier contains an issue with stack-based buffer overflow in VS6MemInIF!set_temp_type_default function. Rated high severity (CVSS 8.4), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
V-SFT v6.2.5.0 and earlier contains an issue with stack-based buffer overflow in VS6ComFile!CV7BaseMap::WriteV7DataToRom function. Rated high severity (CVSS 8.4), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
V-SFT v6.2.5.0 and earlier contains an issue with stack-based buffer overflow in VS6File!CTxSubFile::get_ProgramFile_name function. Rated high severity (CVSS 8.4), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
V-SFT v6.2.5.0 and earlier contains an issue with out-of-bounds read in VS6MemInIF.dll!set_plc_type_default function. Rated high severity (CVSS 8.4), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
V-SFT v6.2.5.0 and earlier contains an issue with out-of-bounds read in VS6EditData!CGamenDataRom::set_mr400_strc function. Rated high severity (CVSS 8.4), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
V-SFT v6.2.5.0 and earlier contains an issue with out-of-bounds read in VS6EditData!VS4_SaveEnvFile function. Rated high severity (CVSS 8.4), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
V-SFT v6.2.5.0 and earlier contains an issue with out-of-bounds read in VS6EditData!Conv_Macro_Data function. Rated high severity (CVSS 8.4), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
V-SFT v6.2.5.0 and earlier contains an issue with out-of-bounds read in VS6EditData!CDrawSLine::GetRectArea function. Rated high severity (CVSS 8.4), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
V-SFT v6.2.5.0 and earlier contains an issue with out-of-bounds write in VS6ComFile!MakeItemGlidZahyou function. Rated high severity (CVSS 8.4), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
V-SFT v6.2.5.0 and earlier contains an issue with out-of-bounds write in VS6EditData!CDataRomErrorCheck::MacroCommandCheck function. Rated high severity (CVSS 8.4), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
V-SFT v6.2.5.0 and earlier contains an issue with out-of-bounds write in VS6MemInIF!set_temp_type_default function. Rated high severity (CVSS 8.4), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
V-SFT v6.2.5.0 and earlier contains an issue with free of pointer not at start of buffer in VS6EditData.dll!CWinFontInf::WinFontMsgCheck function. Rated high severity (CVSS 8.4), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
A vulnerability classified as critical was found in SourceCodester Client Database Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Rejected reason: This CVE record has been withdrawn due to a duplicate entry CVE-2025-23165. No vendor patch available.
A vulnerability has been found in D-Link DI-7003GV2 24.04.18D1 R(68125) and classified as problematic. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A vulnerability, which was classified as critical, was found in D-Link DI-7003GV2 24.04.18D1 R(68125). Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A vulnerability, which was classified as problematic, has been found in D-Link DI-7003GV2 24.04.18D1 R(68125). Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A vulnerability classified as problematic was found in D-Link DI-7003GV2 24.04.18D1 R(68125). Rated medium severity (CVSS 5.3), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A vulnerability classified as problematic was found in calmkart Django-sso-server up to 057247929a94ffc358788a37ab99e391379a4d15. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.
O2 UK before 2025-05-19 allows subscribers to determine the Cell ID of other subscribers by initiating an IMS (IP Multimedia Subsystem) call and then reading the utran-cell-id-3gpp field of a. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable. No vendor patch available.
A vulnerability was found in weibocom rill-flow 0.1.18. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Rejected reason: Duplicate of CVE-2025-4919. No vendor patch available.
Rejected reason: Duplicate of CVE-2025-4918. No vendor patch available.
An attacker was able to perform an out-of-bounds read or write on a JavaScript object by confusing array index sizes. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
An attacker was able to perform an out-of-bounds read or write on a JavaScript `Promise` object. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A vulnerability has been found in itwanger paicoding 1.0.0/1.0.1/1.0.2/1.0.3 and classified as problematic. Rated low severity (CVSS 2.3), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.
Rejected reason: wrong year. No vendor patch available.
Rejected reason: wrong year. No vendor patch available.
Donetick an open-source app for managing tasks and chores. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
The Wise Chat plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.3.3 via the 'uploads' directory. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.
A vulnerability classified as problematic has been found in y_project RuoYi 4.8.0. Rated low severity (CVSS 2.3), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.
The CSV Mass Importer WordPress plugin through 1.2 does not properly validate uploaded files, allowing high privilege users such as admin to upload arbitrary files on the server even when they should. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Software installed and run as a non-privileged user may conduct improper GPU system calls to trigger use-after-free kernel exceptions. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Kernel software installed and running inside a Guest VM may exploit memory shared with the GPU Firmware to read and/or write data outside the Guest's virtualised GPU memory. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
libpspp-core.a in GNU PSPP through 2.0.1 has an incorrect call from fill_buffer (in data/encrypted-file.c) to the Gnulib rijndaelDecrypt function, leading to a heap-based buffer over-read. Rated low severity (CVSS 2.9), this vulnerability is no authentication required. Public exploit code available and no vendor patch available.
Samsung Internet for Galaxy Watch version 5.0.9, available up until Samsung Galaxy Watch 3, does not properly validate TLS certificates, allowing for an attacker to impersonate any and all websites. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.
A vulnerability, which was classified as problematic, was found in SourceCodester Online Student Clearance System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Untrusted LD_LIBRARY_PATH environment variable vulnerability in the GNU C Library version 2.27 to 2.38 allows attacker controlled loading of dynamically shared library in statically compiled setuid. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available.
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Themovation QuickCal allows Retrieve Embedded Sensitive Data.0.15. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in redqteam Wishlist allows Retrieve Embedded Sensitive Data.1.0. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A request smuggling vulnerability existed in the Google Cloud Classic Application Load Balancer due to improper handling of chunked-encoded HTTP requests. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In the Linux kernel, the following vulnerability has been resolved: net_sched: hfsc: Fix a UAF vulnerability in class with netem as child qdisc As described in Gerrard's report [1], we have a UAF. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. This Use After Free vulnerability could allow attackers to access freed memory to execute arbitrary code or crash the application.
A vulnerability classified as critical was found in CBEWIN Anytxt Searcher 1.3.1128.0. Rated high severity (CVSS 7.3). No vendor patch available.
A vulnerability was found in defog-ai introspect up to 0.1.4. Rated medium severity (CVSS 4.8), this vulnerability is low attack complexity. No vendor patch available.
A vulnerability in Synology Active Backup for Microsoft 365 allows remote authenticated attackers to obtain sensitive information via unspecified vectors. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Ericsson Packet Core Controller (PCC) contains a vulnerability where an attacker sending a large volume of specially crafted messages may cause service degradation. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A vulnerability was found in D-Link DI-7003GV2 24.04.18D1 R(68125) and classified as problematic. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Authentication credentials leakage vulnerability in Hitachi Ops Center Analyzer viewpoint.0.0-00 before 11.0.4-00. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Cross-Site WebSocket Hijacking vulnerability in Hitachi Ops Center Analyzer (RAID Agent component).8.0-00 before 11.0.4-00; Hitachi Ops Center Analyzer: from 10.9.0-00 before 11.0.4-00. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A vulnerability has been found in D-Link DI-7003GV2 24.04.18D1 R(68125) and classified as problematic. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A vulnerability, which was classified as problematic, was found in D-Link DI-7003GV2 24.04.18D1 R(68125). Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A vulnerability, which was classified as problematic, has been found in D-Link DI-7003GV2 24.04.18D1 R(68125).data of the component Configuration Handler. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. No vendor patch available.
IBM InfoSphere Information Server 11.7 could disclose sensitive information to an authenticated user that could aid in further attacks against the system through a directory listing. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Spotipy is a Python library for the Spotify Web API. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The EKC Tournament Manager WordPress plugin before 2.2.2 allows a logged in admin to download system files outside of the WordPress directory. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
The Event Calendar WordPress plugin through 1.0.4 does not check for authorization on delete actions, allowing unauthenticated users to delete arbitrary calendars. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
The Z-Downloads WordPress plugin before 1.11.5 does not properly validate files uploaded, allowing high privilege users such as admin to upload arbitrary files on the server even when they should not. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
The Z-Downloads WordPress plugin before 1.11.7 does not properly validate uploaded files allowing for the uploading of SVGs containing malicious JavaScript. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.