Security Flaw: Multiple API Handlers Leak Internal Error Details, Exposing System Architecture

A medium-severity security vulnerability has been identified in a web application's API, where multiple critical endpoint handlers are leaking raw internal error details directly to clients. This exposure includes sensitive implementation information such as upstream service responses, stack-adjacent context, and internal resource names. The leak provides a potential roadmap for attackers, enabling enumeration of system components and facilitating more targeted, sophisticated attacks against the application's infrastructure.

The flaw is not isolated to a single endpoint but is present across several core API functions. Specifically, the vulnerability exists in the `converse`, `playground`, `action`, `generate`, and `inspirations` handlers within the `packages/web/api/src/functions/` directory. The problematic code returns full exception text, bypassing standard security practices that mandate sanitized, client-safe error messages. This pattern of information disclosure falls under the OWASP Top 10 category A05:2021 for Security Misconfiguration, indicating a systemic failure in error handling protocols.

The primary risk is reconnaissance. By analyzing the leaked error details, a malicious actor can map the application's internal architecture, identify dependencies, and infer potential weak points. This intelligence significantly lowers the barrier for subsequent exploitation attempts. The recommended mitigation is immediate: all affected handlers must be refactored to return only generic error messages to the client. Detailed diagnostic information, including correlation IDs for tracing, should be logged exclusively server-side where it can be accessed securely by developers for debugging without exposing the system's internals.