AutoMQ Version
N/A - Tested via cloud playground. API reported version 5.3.7 for dev-starter instance.
Operating System
N/A - Cloud API (playground.automq.cloud)
Installation Method
other
Hardware Configuration
macOS 15.6.1(24G90)
8 GB 2133 MHz LPDDR3
1.4 GHz Quad-Core Intel Core i5
Other Relevant Software
No response
What Went Wrong?
The error message exposes java.lang.String which is an internal
Java/Spring framework class name. This reveals backend implementation
details that should never be visible to API consumers.
What Should Have Happened Instead?
The API should return a clean, user-friendly error message without
exposing any internal Java class names or framework details.
Expected response:
{
"error": {
"code": "System.InvalidRequestParameter",
"message": "Invalid value for 'pageSize'. Expected a positive integer greater than 0."
}
}
The full error details should be logged server-side only for
debugging purposes, and never exposed to the API consumer.
Reference: OWASP Improper Error Handling
https://owasp.org/www-community/Improper_Error_Handling
Steps to Reproduce
- Open Postman
- Send GET request:
https://playground.automq.cloud/api/v1/instances?pageNum=1&pageSize=abc
- No authentication required (Playground is open by design)
- Observe the error response
Additional Information
Testing Tool: Postman
Environment: AutoMQ Playground (cloud-hosted, open by design)
Instance Version: 5.3.7 (as reported by API response for dev-starter instance)
Endpoint Tested: GET /api/v1/instances
Security Classification:
- OWASP Improper Error Handling
- OWASP Proactive Controls C10 — Handle All Errors and Exceptions
- CWE-248: Uncaught Exception
Severity: Low — No data breach, but internal tech stack is exposed
Additional Notes:
AutoMQ Version
N/A - Tested via cloud playground. API reported version 5.3.7 for dev-starter instance.
Operating System
N/A - Cloud API (playground.automq.cloud)
Installation Method
other
Hardware Configuration
macOS 15.6.1(24G90)
8 GB 2133 MHz LPDDR3
1.4 GHz Quad-Core Intel Core i5
Other Relevant Software
No response
What Went Wrong?
The error message exposes
java.lang.Stringwhich is an internalJava/Spring framework class name. This reveals backend implementation
details that should never be visible to API consumers.
What Should Have Happened Instead?
The API should return a clean, user-friendly error message without
exposing any internal Java class names or framework details.
Expected response:
{
"error": {
"code": "System.InvalidRequestParameter",
"message": "Invalid value for 'pageSize'. Expected a positive integer greater than 0."
}
}
The full error details should be logged server-side only for
debugging purposes, and never exposed to the API consumer.
Reference: OWASP Improper Error Handling
https://owasp.org/www-community/Improper_Error_Handling
Steps to Reproduce
https://playground.automq.cloud/api/v1/instances?pageNum=1&pageSize=abc
Additional Information
Testing Tool: Postman
Environment: AutoMQ Playground (cloud-hosted, open by design)
Instance Version: 5.3.7 (as reported by API response for dev-starter instance)
Endpoint Tested: GET /api/v1/instances
Security Classification:
Severity: Low — No data breach, but internal tech stack is exposed
Additional Notes: