VC014A02:2021·CWE-200

Sensitive data in source code

Sensitive data — PII, internal IDs, API tokens — included in API responses, error messages, or logs that don't need it.

What this rule detects

VC014 looks for response objects, JSON returns, and log calls that include fields the requesting user shouldn't see. Common cases: returning `passwordHash` from a user object, including `stripeCustomerId` in client responses, logging full request bodies (including tokens) to error trackers.

Vulnerable vs. safe code

Vulnerable
// Returns the full user record including hashed password.
export async function GET(req: Request, { params }: { params: { id: string } }) {
  const user = await db.user.findUnique({ where: { id: params.id } });
  return Response.json(user);
}
Safe
// Pick only the fields the client needs.
export async function GET(req: Request, { params }: { params: { id: string } }) {
  const user = await db.user.findUnique({
    where: { id: params.id },
    select: { id: true, name: true, avatarUrl: true },
  });
  return Response.json(user);
}

About A02:2021Cryptographic Failures

Cryptographic failures cover everything from hardcoded secrets in source code to using broken algorithms (MD5, SHA-1) to transmitting passwords in plaintext. AI coding tools frequently generate this category of bug because the safe alternatives require knowing about libraries the model wasn't trained heavily on.

Impact: When this class ships, it's usually a data breach. Hardcoded API keys end up on GitHub and get scraped within minutes. Weak password hashing means a single database leak unlocks every user's password. Plaintext-over-HTTP endpoints get sniffed on public WiFi.

How to fix it: Never store secrets in source code — use environment variables and a secret manager. Use bcrypt/argon2 for password hashing, not MD5/SHA-1. Always use HTTPS in production. Use the platform's modern crypto APIs instead of rolling your own.

Common patterns in this category:

  • Hardcoded API keys, tokens, or passwords committed to git
  • MD5 or SHA-1 used for password hashing instead of bcrypt/argon2
  • Sensitive data sent over HTTP instead of HTTPS
  • Encryption keys stored alongside the encrypted data
  • Custom crypto implementations instead of vetted libraries

Compliance coverage

Findings from this rule map to the following framework controls:

SOC 2
CC6.7, CC6.1
ISO 27001
A.8.28, A.8.12
OWASP Top 10
A02:2021Cryptographic Failures
CWE
CWE-200

See the full compliance coverage page for how XploitScan maps every rule to SOC 2, ISO 27001, and OWASP Top 10 controls.

Scan your code for VC014 and 157 other rules

Free, no signup. Drag and drop a zip or run npx xploitscan scan .

Scan Your Code →

Related rules in A02:2021

← All security rules
VC014: Sensitive data in source code | XploitScan Rules