The Jackson provider may expose unwanted source references in a default RESTEasy 400 error response. This is reproduced easily with the jaxrs-client quick start and testing a bad POST if you start A container with RESTEasy with -Dresteasy.preferJacksonOverJsonB=true. Note the unwanted source reference:

$ curl -X POST localhost:8080/jaxrs-client/rest/contacts -H "Content-Type: application/json" -d '[['
com.fasterxml.jackson.databind.exc.MismatchedInputException: Cannot deserialize value of type `org.jboss.as.quickstarts.jaxrsclient.model.Contact` from Array value (token `JsonToken.START_ARRAY`)
 at [Source: (io.undertow.servlet.spec.ServletInputStreamImpl); line: 1, column: 1]

It can be masked with a custom ExceptionHandler that checks and avoids message output, but any improvement we might consider to avoid that source exposure in the exception message exposed in the default error response?