Application's source code contains sensitive information that should not be exposed or accessible. Such disclosures often include hardcoded credentials, API keys, encryption secrets or other critical data embedded in the codebase.
Sensitive information disclosure in source code occurs when developers add secrets directly to the code for convenience and forget to remove them before sharing the code. Debugging information or error messages included during testing can also be overlooked and end up in the final version.
Sometimes, configuration files meant for local use get shared by mistake.
Third-party libraries can also reveal data if they are not properly managed.
Code repositories with weak access controls can let unauthorized people see code with embedded secrets, making it easy for attackers to misuse that information.
If the source code is stored in a public repository (like GitHub, GitLab or Bitbucket) attackers can easily browse or search through the code to find hardcoded secrets like API keys, database credentials or encryption keys.
To fix the vulnerability, follow these step-by-step solutions: