Skip to content
← Back to Vulnerability Database
CRITICALCWE-798Secret Exposure

Exposed API Key in JS Bundle

Description

API keys, secrets, or tokens are hardcoded in client-side JavaScript and visible in the browser bundle via DevTools.

How Vezraa Detects It

We scan your JS bundles for regex patterns matching known key formats: sk-, OPENAI_, RAZORPAY_, STRIPE_, etc.

Real-World Impact

Attackers steal your OpenAI, Stripe, or Razorpay keys and rack up thousands in charges within minutes.

Fix Example

// BAD — exposed in bundle
const openai = new OpenAI({ apiKey: 'sk-proj-...' });

// GOOD — proxy through backend
const res = await fetch('/api/proxy/chat', { ... });

Affected Stacks

Next.jsReactVueAngularAll SPAs

References

Check if your app has this vulnerability

Scan your app in 25 seconds — no install, no code access required.

Exposed API Key in JS Bundle — Vulnerability Database | Vezraa