OWASP ZAP scan returns "Application Error Disclosure" to JS library. Is it false positive? How to prove this or fix it?

[sameer shaik]

Web Scan - After automatic scan with OWASP ZAP 2.12.0 I have "Application Error Disclosure" with javascript file (/_next/static/chunks/main-xxx.js). Site is based on React JS using next js framework.  I've found that nextjs script contains string 500:"Internal Server Error", as highlighted in screenshot. It is inside .next folder generated by next js framework after the build.

Below are the details of the alert: (Also attached a screenshot regarding the same)

Application Error Disclosure

Risk: Medium
Confidence: Medium

Evidence: Internal Server Error

CWE ID: 200
WASC ID: 13
Source: Passive (90022 - Application Error Disclosure)

Solution:
Review the source code of this page. Implement custom error pages. Consider implementing a mechanism to provide a unique error reference/identifier to the client (browser) while logging the details on the server side and not exposing them to the user.

So my question is

Is it a false positive because ZAP scanned a JS-URL which has keywords like RuntimeError: '500:Internal Server Error'?

[kingthorin+owaspzap]

It's likely a false positive. To be sure:

1) Check for other occurrences of the evidence string in the response. (ZAP's highlighting is first match.)

2) Assuming you've updated things for that specific passive scan rule JS and CSS files are only considered at LOW threshold.

https://www.zaproxy.org/docs/desktop/addons/passive-scan-rules/#application-errors

[Simon Bennetts]

That looks like something we might be able to code around - especially if the content type indicated its JavaScript...