Reflected request path in error response (unnormalized route handling)
Error responses included the unnormalized request path, allowing a user-controlled string to be reflected into the response body. Combined with a permissive content type, this is the seed of a self-XSS or content-injection issue.
Description
The backend's error handler echoed the request path verbatim in the JSON error body without normalization or sanitization. A crafted URL could include characters that, when rendered by a permissive client, produced an injection-flavored response.
Impact
Low on its own. Becomes meaningful if the error response is consumed by a UI that renders the reflected value as HTML, or if logging pipelines render error bodies into rich text.
Recommendation
Normalize the request path before reflecting it (or reflect only a sanitized identifier). Avoid reflecting raw client-controlled input into error bodies. Set strict Content-Type and ensure consumer UIs treat error bodies as plain text.
Fair Casino: Fixed. Zealynx: Verified.