From 5aa02cf3f75d358e5e9eb666dd8b355c4aa0437b Mon Sep 17 00:00:00 2001
From: "Robby (AI-assisted)" <robbyczgw@gmail.com>
Date: Mon, 26 Jan 2026 21:03:41 +0000
Subject: [PATCH] fix(gateway): sanitize error responses to prevent information
 disclosure

Replace raw error messages with generic 'Internal Server Error' to prevent
leaking internal error details to unauthenticated HTTP clients.

Fixes #2383
---
 src/gateway/server-http.ts | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/gateway/server-http.ts b/src/gateway/server-http.ts
index 08415f346..b72939c6a 100644
--- a/src/gateway/server-http.ts
+++ b/src/gateway/server-http.ts
@@ -291,10 +291,10 @@ export function createGatewayHttpServer(opts: {
       res.statusCode = 404;
       res.setHeader("Content-Type", "text/plain; charset=utf-8");
       res.end("Not Found");
-    } catch (err) {
+    } catch {
       res.statusCode = 500;
       res.setHeader("Content-Type", "text/plain; charset=utf-8");
-      res.end(String(err));
+      res.end("Internal Server Error");
     }
   }