If an exception is thrown from a graphql query, the exception message is printed to all users.
Create a custom graphql field plugin that, for example, makes an external HTTP request and doesn't catch GuzzleException. When the request fails, the message usually includes the full URL with possible sensitive (secret) URL parameters.
Instead of print() use watchdog_exception().
Fixed
4.0
Code
It is used for security vulnerabilities which do not need a security advisory. For example, security issues in projects which do not have security advisory coverage, or forward-porting a change already disclosed in a security advisory. See Drupal’s security advisory policy for details. Be careful publicly disclosing security vulnerabilities! Use the “Report a security vulnerability” link in the project page’s sidebar. See how to report a security issue for details.
Not all content is available!
It's likely this issue predates Contrib.social: some issue and comment data are missing.
Here's an alternative for 4.x that prints errors only if twig debug mode is enabled.
Applied the $this->env->isDebug() fix to both 3.x & 4.x thank you.
Automatically closed - issue fixed for 2 weeks with no activity.