Post

[CVE-2025-52022] Information disclosure via verbose error messages in Aptsys gemsloyalty backend

Posted
By RTA
3 min read

Summary

An information disclosure vulnerability was identified in the backend of Aptsys’ gemsloyalty platform, which powers POS and management systems for multiple F&B clients.
The issue allows unauthenticated remote attackers to trigger verbose error messages and stack traces that reveal sensitive backend details such as internal file paths, variable names, and portions of source code.

CVE: CVE-2025-52022 (Reserved - pending public publication)
This public advisory serves as the official reference for CVE publication.
Technical exploitation details, endpoint traces, and raw error messages are intentionally withheld to prevent misuse.

Background & Discovery

The vulnerability was discovered during normal interaction with an Aptsys-powered mobile application in May 2025, when an unhandled backend error response returned a detailed stack trace.
Subsequent review confirmed that unauthenticated users could directly trigger similar error messages by sending malformed requests to certain public API endpoints hosted on gemsloyalty backend.

Multiple attempts to responsibly disclose the issue to the vendor were made through multiple channels between May-Nov 2025, but no remediation or formal acknowledgment was received.

Affected Product(s)

  • Vendor: Aptsys
  • Product: gemsloyalty backend server
  • Component: Backend error handler for public API requests
  • Endpoint (high-level): group service API for retrieving group names by ID (specific endpoint withheld for security)
  • Versions: Unknown (likely affects multiple active backend builds)
  • Confirmed Affected: Production environment verified in May 2025

Vulnerability Details (Redacted)

A backend API endpoint in the gemsloyalty platform fails to properly handle invalid input or unexpected parameters.
When an unauthenticated remote attacker submits a malformed HTTP request, the backend application throws an unhandled exception that exposes full diagnostic information to the client.

The verbose error output includes:

  • Absolute file paths on the production server
  • Function names and variable identifiers
  • Partial source code snippets
  • Framework and version details from the stack trace

This behavior violates secure error-handling best practices and falls under CWE-209: Generation of Error Message Containing Sensitive Information.

Note: Specific endpoint paths, sample stack traces, and captured responses are withheld from this public advisory to reduce risk of exploitation.

Exploitation (High-Level)

  • Attack vector: Remote (HTTP request)
  • Authentication required: None
  • Complexity: Low

An attacker can send crafted GET or POST requests to public API endpoints (e.g., group or service-related routes) on the gemsloyalty backend.
When input validation fails, the backend responds with detailed error messages containing internal environment data.
This information could aid further attacks such as path traversal, SQL injection, or privilege escalation.

Impact

  • Disclosure of internal file paths and source code snippets
  • Exposure of stack traces and backend logic flow
  • Leakage of potentially sensitive framework or configuration information
  • Increased risk of targeted follow-up attacks using revealed data

Mitigation & Recommendations

For Operators / Administrators

  1. Disable detailed error output in production environments.
  2. Use generic error messages for client responses and log full errors server-side only.
  3. Deploy WAF or reverse proxy rules to block unexpected API requests.
  4. Restrict access to backend endpoints from untrusted networks.
  5. Conduct source code review for other API routes that may lack error handling.

For Developers / Vendor

  • Implement centralized error handling with sanitized messages.
  • Ensure production builds disable debug modes and stack traces.
  • Validate and sanitize all API inputs before processing.
  • Conduct a full audit for unhandled exceptions or direct echo/print of exception details.
  • Follow OWASP and CWE-209 guidance for secure error handling.

Timeline

  • May 2025: Vulnerability discovered and verified in production deployment.
  • May–Nov 2025: Multiple disclosure attempts to Aptsys; no remediation confirmed.
  • Jul 2025: CVE-2025-52022 reserved.
  • Nov 2025: Public disclosure published (this advisory).

Status

  • Vendor response: No acknowledgment or fix confirmed as of November 2025.
  • CVE status: RESERVED → Pending PUBLIC upon MITRE confirmation.
  • Technical details: Redacted; available under NDA/PGP for vendor or CERT coordination.

Withheld Information

To minimize exploitation risk, this public advisory intentionally omits:

  • Exact endpoint path names and query parameters
  • Full error message outputs or screenshots
  • Stack trace content and variable identifiers
  • Customer domain names or deployment-specific URLs

Operators of Aptsys gemsloyalty deployments should treat this as a high-severity issue and apply mitigations immediately. Vendors and CERT teams may contact the reporter for full technical details.

References

Disclosure
cve information-disclosure stack-trace error-handling security
This post is licensed under CC BY 4.0 by the author.