YAML parser error message leaked to client in handleYamlUpload catch block

In handleYamlUpload, the catch block computes errorMessage = err instanceof Error ? err.message : String(err) and then calls:

res.status(410)
next(new Error('B2B customer complaints via file upload have been deprecated for security reasons: ' + errorMessage + ' (' + file.originalname + ')'))

Express's error middleware renders the message (and frequently the stack) into the HTTP response. errorMessage here is the unsanitized output of yaml.load running under vm.runInContext — js-yaml errors expose the offending YAML snippet, line/column numbers, parser state, and Node VM/script context details. This matches the rule's criterion: a catch (err) block produces a response whose body includes err.message/String(err).

1. POST a malformed YAML file (e.g., key: : :) to the B2B complaint upload endpoint.
2. Observe the HTTP 410 response body — it contains the raw js-yaml error text including the YAML excerpt, line/column, and parser internals.

Anyone able to upload a YAML complaint file can retrieve detailed js-yaml/VM parser errors. These leak library identity, internal parsing state, and excerpts of submitted data — useful for fingerprinting and confirming parser-side bugs (e.g., YAML bomb / DoS oracle).

The catch block at lines 122-134 explicitly extracts err.message into errorMessage and concatenates it into the Error passed to next(...). Express's default error handler propagates the Error's message into the response body, so a malformed YAML upload (e.g. key: : :) will return the raw js-yaml parser error including line/column and the offending snippet. The detector's PoC is reachable via the YAML upload endpoint, and the scope rule explicitly says "Treat every finding as if this were a real production application," so the intentional-vulnerability framing doesn't downgrade it.

The B2B YAML upload endpoint is reachable over HTTP and no authentication middleware is visible in this file, so an attacker can POST a malformed YAML file anonymously. The catch block at lines 122–134 concatenates the raw err.message from vm.runInContext/yaml.load into the Error passed to next(...), which Express renders into the 410 response body — leaking js-yaml parser internals, line/column, snippets of submitted data, and library/VM fingerprints (limited confidentiality impact: L, since the attacker can only retrieve parser/diagnostic info, not arbitrary secrets). There is no modification of data (I:N) and no denial-of-service caused by this leak itself (A:N); the impact stays within the Node process (S:U).