CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere
The product does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the underlying system as the product does.
Last updated
Overview
Network-based products, such as web applications, often run on top of an operating system or similar environment. When the product communicates with outside parties, details about the underlying system are expected to remain hidden, such as path names for data files, other OS users, installed packages, the application environment, etc. This system information may be provided by the product itself, or buried within diagnostic or debugging messages. Debugging information helps an adversary learn about the system and form an attack plan. An information exposure occurs when system data or debugging information leaves the program through an output stream or logging function that makes it accessible to unauthorized parties. Using other weaknesses, an attacker could cause errors to occur; the response to these errors can reveal detailed system information, along with other impacts. An attacker can use messages that reveal technologies, operating systems, and product versions to tune the attack against known vulnerabilities in these technologies. A product may use diagnostic methods that provide significant implementation details such as stack traces as part of its error handling mechanism.
Real-world CVEs
342 recorded CVEs are caused by CWE-497 (Exposure of Sensitive System Information to an Unauthorized Control Sphere), including 1 in CISA's KEV (Known Exploited Vulnerabilities) catalog. KEVs are shown first. 93 new CWE-497 CVEs have been recorded so far in 2026 (177 in 2025).
- CVE-2021-31955CISA KEV
Windows Kernel Information Disclosure Vulnerability
Medium · CVSS 6.8 · EPSS 100th2021-06-08 - CVE-2025-10264
Digiever|NVR - Exposure of Sensitive Information
Critical · CVSS 10.0 · EPSS 36th2025-09-12 - CVE-2025-47699Critical · CVSS 9.9 · EPSS 23th2025-10-23
- CVE-2025-44823Critical · CVSS 9.9 · EPSS 96th2025-10-07
- CVE-2025-6561
Hunt Electronic Hybrid DVR - Exposure of Sensitive System Information
Critical · CVSS 9.8 · EPSS 38th2025-06-26 - CVE-2025-1144
Quanxun School Affairs System - Exposure of Sensitive Information
Critical · CVSS 9.8 · EPSS 39th2025-02-11 - CVE-2024-36554Critical · CVSS 9.8 · EPSS 35th2025-02-06
- CVE-2020-25179Critical · CVSS 9.8 · EPSS 69th2020-12-14
- CVE-2025-11545Critical · CVSS 9.5 · EPSS 20th2025-12-22
- CVE-2026-14808
PROG MIS|Prog Management System - Exposure of Sensitive Information
Critical · CVSS 9.3 · EPSS 40th2026-07-06 - CVE-2025-15623
Sparx Pro Cloud Server reveals sensitive information to an unauthenticated user
Critical · CVSS 9.3 · EPSS 18th2026-04-17 - CVE-2025-5893
Honding Technology Smart Parking Management System - Exposure of Sensitive Information
Critical · CVSS 9.3 · EPSS 34th2025-06-09
Showing 12 of 342 recorded CWE-497 CVEs. Track new ones as they are published and get AI-written analysis and fixes.
Monitor CWE-497 vulnerabilitiesCommon consequences
What can happen when CWE-497 is exploited.
Read Application Data
Affects: Confidentiality
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
Applies to
Technologies
How to prevent it
Practical mitigations for CWE-497, grouped by where in the lifecycle they apply.
Production applications should never use methods that generate internal details such as stack traces and error messages unless that information is directly committed to a log that is not viewable by the end user. All error message text should be HTML entity encoded before being written to the log file to protect against potential cross-site scripting attacks against the viewer of the logs
How to detect it
Automated Static Analysis
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Effectiveness: High
Code examples
Illustrative examples from MITRE showing how the weakness appears in code.
The following code prints the path environment variable to the standard error stream:
Vulnerable example
char* path = getenv("PATH");This code prints all of the running processes belonging to the current user.
Vulnerable example
//assume getCurrentUser() returns a username that is guaranteed to be alphanumeric (avoiding CWE-78)If invoked by an unauthorized web user, it is providing a web page of potentially sensitive information on the underlying system, such as command-line arguments (CWE-497). This program is also potentially vulnerable to a PATH based attack (CWE-426), as an attacker may be able to create malicious versions of the ps or grep commands. While the program does not explicitly raise privileges to run the system commands, the PHP interpreter may by default be running with higher privileges than users.
The following code prints an exception to the standard error stream:
Vulnerable example
try {Vulnerable example
try {Depending upon the system configuration, this information can be dumped to a console, written to a log file, or exposed to a remote user. In some cases the error message tells the attacker precisely what sort of an attack the system will be vulnerable to. For example, a database error message can reveal that the application is vulnerable to a SQL injection attack. Other error messages can reveal more oblique clues about the system. In the example above, the search path could imply information about the type of operating system, the applications installed on the system, and the amount of care that the administrators have put into configuring the program.
The following code constructs a database connection string, uses it to create a new connection to the database, and prints it to the console.
Vulnerable example
string cs="database=northwind; server=mySQLServer...";Depending on the system configuration, this information can be dumped to a console, written to a log file, or exposed to a remote user. In some cases the error message tells the attacker precisely what sort of an attack the system is vulnerable to. For example, a database error message can reveal that the application is vulnerable to a SQL injection attack. Other error messages can reveal more oblique clues about the system. In the example above, the search path could imply information about the type of operating system, the applications installed on the system, and the amount of care that the administrators have put into configuring the program.
Illustrative examples
Real CVEs that MITRE cites as examples of this weakness.
- CVE-2021-32638 — Code analysis product passes access tokens as a command-line parameter or through an environment variable, making them visible to other processes via the ps command.
Terminology & mappings
Mapped taxonomies
- 7 Pernicious Kingdoms: System Information Leak
- The CERT Oracle Secure Coding Standard for Java (2011): Do not allow exceptions to expose sensitive information (ERR01-J)
- Software Fault Patterns: Exposed Data (SFP23)
Attack patterns
CAPEC attack patterns that exploit this weakness.
Frequently asked questions
Common questions about CWE-497.
- What is CWE-497?
- The product does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the underlying system as the product does.
- What CVEs are caused by CWE-497?
- 342 recorded CVEs are attributed to CWE-497, including CVE-2021-31955, CVE-2025-10264, CVE-2025-47699. 1 are listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
- How do you prevent CWE-497?
- Production applications should never use methods that generate internal details such as stack traces and error messages unless that information is directly committed to a log that is not viewable by the end user. All error message text should be HTML entity encoded before being written to the log file to protect against potential cross-site scripting attacks against the viewer of the logs
- How is CWE-497 detected?
- Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
- What are the consequences of CWE-497?
- Exploiting CWE-497 can lead to: Read Application Data.
- Is CWE-497 actively exploited?
- Yes. 1 CWE-497 vulnerabilities are in CISA's KEV catalog of actively exploited flaws, out of 342 recorded CVEs.
References
- MITRE CWE definition (CWE-497) (opens in a new tab)
- CWE-497 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-497
Get alerted the moment a new CWE-497 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.