## RPC Security Flaw: Raw Database Error Strings Exposed to Untrusted Clients
A critical security vulnerability has been identified in the RPC layer of a software system, where raw, detailed database error messages are being directly returned to untrusted remote callers. The flaw resides in the `handle` function within the `crates/rpc/src/methods/get_transactions.rs` file. When a database operation fails, the handler maps the failure to a JSON-RPC error, but crucially formats it to include the full backend error string (`"database error: {}"`). This exposes internal implementation details—such as specific SQLite errors, database schema information, filesystem paths, and operational state—directly in the API response.

This exposure creates a significant reconnaissance vector for attackers. An exploit scenario involves an adversary repeatedly probing the vulnerable RPC endpoint, especially during database failures or edge-case states, to harvest these detailed error messages from the JSON-RPC responses. The leaked information can serve as a treasure trove for operational reconnaissance, providing insights into the backend's structure and state, which can directly aid in planning and executing follow-on, more targeted attacks.

The automated security audit, conducted in a CTF-style using the github-copilot/gpt-5.4 model, classifies this finding with MEDIUM severity. The suggested remediation is straightforward but critical: log the full, detailed database error securely on the server-side for internal debugging, while returning only a generic, non-revealing internal error message (e.g., "Internal server error") to the remote client. This fix would close the information leak without impacting legitimate error handling for system operators.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: security_vulnerability, rpc, database, error_handling, information_disclosure
- **Credibility**: unverified
- **Published**: 2026-04-06 15:27:10
- **ID**: 51644
- **URL**: https://whisperx.ai/en/intel/51644