Critical Credential Exposure Risk Detected in Admin API Endpoint

A critical security flaw has been identified in the administrative API infrastructure where sensitive authentication credentials were being transmitted in plaintext API responses. The vulnerability, documented as issue #3246, affected the admin dashboard endpoint in src/routes/admin.js and exposed both Stripe API keys and database credentials to any client possessing an admin API key. The exposure occurred through direct inclusion of configuration values—specifically stripeKey and dbCredentials—within the dashboard response payload, creating a direct path for credential interception.

The technical mechanism involved the direct serialization of configuration objects containing sensitive secrets into the API response. When administrative users accessed the dashboard, the response contained not only expected interface data but also the raw API key for the payment processing system and complete database connection credentials. This design flaw meant that any compromised admin session, man-in-the-middle attack, or improperly secured logging system could capture these exposed secrets, granting an attacker the keys to both financial transaction infrastructure and the underlying database.

The implications extend beyond immediate credential theft. With Stripe API keys exposed in this manner, an attacker could potentially execute unauthorized charges, access transaction histories, and manipulate billing configurations. Database credentials would grant direct access to organizational data stores, potentially compromising customer information and operational records. Security teams auditing similar codebases should search for instances where configuration objects containing authentication material are serialized into API responses without proper sanitization. The fix requires removing all sensitive configuration data from endpoint responses and implementing runtime validation to prevent future regressions.