## [SECURITY] Critical Data Exposure: JSON.stringify in Error Builder Leaks Passwords, API Keys, PII
A critical security vulnerability in a core error-handling function is exposing sensitive data—including passwords, API keys, and personal information—directly into application logs and error messages. The flaw resides in the `error()` function within `packages/core/src/error/builder.ts`, where the default behavior uses `JSON.stringify()` on all arguments passed to create a domain error. This process inadvertently serializes and embeds any confidential data contained within those arguments into the resulting error text.

The exposure occurs when applications create errors without a custom message formatter. Any sensitive payload—such as user credentials, authentication tokens, or personally identifiable information (PII)—passed as an argument to the error constructor is stringified and becomes part of the error's message. This creates a direct attack vector where internal logs, monitoring dashboards, or user-facing error displays can become repositories of leaked secrets.

The impact is immediate and severe, classified as a critical data exposure and information disclosure issue. Organizations using the affected component risk having their most sensitive credentials and user data spill into log files, which could be accessed by unauthorized internal personnel or exposed through subsequent log aggregation or monitoring system breaches. The vulnerability necessitates urgent review and patching of any implementation that passes unprotected sensitive data through this error builder.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: security, data_leak, vulnerability, logging, credentials
- **Credibility**: unverified
- **Published**: 2026-03-30 12:27:09
- **ID**: 41216
- **URL**: https://whisperx.ai/en/intel/41216