Reflected request path and query string in API 'Route Not Found' error responses
When requesting an invalid or non-existent API endpoint, the server returned a JSON error response that reflected the full requested route, including attacker-controlled query string parameters.
Description
When an invalid or non-existent API endpoint was requested, the server returned a JSON error response that reflected the full requested route, including attacker-controlled query string parameters.
Example:
Request: GET /api/address/generate?ael64smq30=1 HTTP/2
Host: www.mynth.ai
Response: HTTP/2 404 Not Found
Content-Type: application/json; charset=utf-8
{"message":"Route GET:/api/address/generate?ael64smq30=1 not found","error":"Not Found","statusCode":404}
While "route not found" responses are expected, reflecting attacker-controlled input (the query string) can introduce downstream risk if these messages are displayed in a UI, logged verbatim, forwarded to monitoring or alerting systems, or rendered in contexts that may interpret special characters.
Impact
Low. Risk surfaces if downstream consumers render the reflected content into rich text or fail to escape special characters.
Recommendation
- Avoid reflecting full request paths and query strings in error messages returned to clients.
- If reflection is required for debugging, truncate reflected content to a safe maximum length and ensure proper escaping and normalization of any reflected input.
Novaswap: Confirmed. Zealynx: Fixed.