Broken Authentication

Broken Authentication in NestJS: Fix [CVE-2022-31069]

[Fixed 2022-07] Updated CVE-2022-31069

Overview

Broken Authentication vulnerabilities in NestJS can manifest when a request token (such as an OAuth bearer token) is forwarded to multiple backend services via a proxy module without per-service control. CVE-2022-31069 describes a scenario where nestjs-proxy allowed forwarding of Authorization headers by default, potentially exposing tokens to downstream services that should not see them. In practice, an application could route requests to various internal services through a single gateway and inadvertently leak tokens to services that do not require or should not have access to them, creating token leakage and broader access risks. The impact is especially critical in multi-service architectures where token scoping, service boundaries, and least privilege must be respected. The issue is addressed by introducing per-service control over header forwarding in the patched package, reducing the blast radius of compromised or misconfigured services. This remediation guide references CVE-2022-31069 and the recommended upgrade path to prevent similar exposure in NestJS apps using the proxy module. The problem is commonly tied to the older @ffdc/nestjs-proxy package, which has been deprecated, and developers are advised to migrate to @finastra/nestjs-proxy for active maintenance and fixes.

Affected Versions

Affected: @finastra/nestjs-proxy < 0.7.0; @ffdc/nestjs-proxy deprecated (migrate to @finastra/nestjs-proxy).

Code Fix Example

NestJS API Security Remediation 
Vulnerable pattern (Authorization header forwarded to all configured services by default):

import { Module } from '@nestjs/common';
import { NestjsProxyModule } from '@finastra/nestjs-proxy';

@Module({
  imports: [
    NestjsProxyModule.register({
      baseUrl: 'https://gateway.internal',
      services: [
        { name: 'billing', url: 'https://billing.internal' },
        { name: 'payments', url: 'https://payments.internal' },
        { name: 'analytics', url: 'https://analytics.internal' }
      ]
    })
  ]
})
export class AppModule {}

// In this configuration, the Authorization header from the client request is forwarded to all configured backend services.

Fixed pattern (per-service forwardToken controls to prevent leakage):

import { Module } from '@nestjs/common';
import { NestjsProxyModule } from '@finastra/nestjs-proxy';

@Module({
  imports: [
    NestjsProxyModule.register({
      baseUrl: 'https://gateway.internal',
      services: [
        { name: 'billing', url: 'https://billing.internal', forwardToken: false },
        { name: 'payments', url: 'https://payments.internal', forwardToken: true },
        { name: 'analytics', url: 'https://analytics.internal', forwardToken: false }
      ]
    })
  ]
})
export class AppModule {}

// With forwardToken explicitly set, only services that require tokens receive the Authorization header.

CVE References

More NestJS API Security Remediation Guides

View all →

Manage cookie preferences

Choose which optional cookies to allow. You can change this any time.