## [CRITICAL VULNERABILITY] Backend Payout Route Leaks Full Database Schema via Raw SQL Errors
A high-severity bug in the backend's payout system is actively exposing the complete internal database schema to any client, including potential attackers. The vulnerability, located in `backend/src/routes/bets.js`, sends raw PostgreSQL error messages directly to the client in every catch block. These messages contain sensitive internal details such as table names, column names, constraint names, and raw query fragments, providing a detailed blueprint for exploitation.

The root cause is a complete lack of error sanitization. All catch blocks and the global error handler in `index.js` directly return `err.message` in the HTTP response. This design flaw transforms routine database errors—like unique constraint violations (error code 23505) or foreign key violations (23503)—into a significant information disclosure risk. Attackers can probe the endpoint to systematically map the database structure, a critical step before launching more targeted attacks.

The exposure represents a foundational security failure, bypassing standard application-layer safeguards. While the immediate risk is reconnaissance, the detailed schema knowledge significantly lowers the barrier for subsequent data exfiltration or injection attacks. The fix requires implementing a dedicated error sanitization utility to map internal PostgreSQL codes to safe, generic user-facing messages, a critical patch to sever the direct pipeline from database internals to the public API.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: security, vulnerability, backend, database, postgresql
- **Credibility**: unverified
- **Published**: 2026-03-28 03:26:58
- **ID**: 38706
- **URL**: https://whisperx.ai/en/intel/38706