SiteShadow
Back to vulnerability library
Detected byCWE-aware static analysisPro

CWE-200 Sensitive Data Exposure

Coverage: 18 rules in the SiteShadow rule registry target this CWE (registry v2.0.0). Regex 17Other-pattern 1 Also: AI-context engineTaint and heuristic analyzers may also detect related flows (see coverage for the authoritative list) Registry tagging shows intent, for sample-level behaviour and benchmarked gaps see known gaps.

What this means

SiteShadow flagged a place where sensitive information is exposed to users or systems that shouldn't have it (overly broad API responses, debug endpoints, insecure storage/permissions, or leaked secrets).

Why it matters

Sensitive data exposure can lead to account compromise or privacy breaches.

Safer examples

1) Return the minimum data needed (response allowlists)

res.json({ id: user.id, name: user.name }); // not the full user object

2) Separate public vs private fields

Keep "internal-only" data out of DTOs returned to clients.

3) Protect non-obvious leak paths

How SiteShadow detects it (high level)

References

---

← Back to Vulnerability Library

Catch this with SiteShadow Pro.

This vulnerability class is detected by SiteShadow's Pro-tier engines, two-pass interprocedural taint analysis, heuristic flow checks, AI-context scanning, and cross-file detection. The free tier catches OWASP Top 10 single-file patterns; Pro adds the data-flow depth that finds this class of bug.