GitHub Security Review: CORS Proxy & Import Error Messages Leak Internal Infrastructure Details

A security review of a codebase has flagged a low-severity information disclosure vulnerability. The issue centers on raw error messages from failed CORS proxy requests and data import operations being captured and potentially exposed. These messages can inadvertently leak sensitive internal details, including proxy server URLs or IP addresses, network library stack traces, and snippets from HTTP response bodies.

The vulnerability is present in two key service files. In `src/services/cors-proxy.ts`, error messages are directly captured and stored when proxy requests fail. A similar pattern exists in `src/services/cheesefork.ts`, where the `batchImportSemesters()` function captures raw fetch or parse errors and includes them in a result object visible to the user interface. This creates a channel where internal system architecture and error patterns could be unintentionally revealed.

While classified as low severity, this exposure provides a potential attacker with reconnaissance data about the underlying proxy infrastructure and application behavior. Such information, though minor, can be useful for profiling a system and understanding its internal workings, which may inform more targeted attacks. The finding underscores the risk of verbose error handling in production systems, where even low-level data leaks can incrementally erode security posture.