Broken Authentication in NestJS Proxy [Month Year] [CVE-2022-31070]

The NestJS ecosystem has seen real-world exposure of sensitive cookies through the nestjs-proxy module before its patch release. The CVE-2022-31070 entry describes how a proxy library used to decorate and proxy calls could forward cookies-including session cookies-unintentionally to downstream backend services configured by the application. This is a classic CWE-200 scenario: sensitive information, such as authentication cookies, could leak to services that should not receive them, enabling session hijacking or cross-service credential exposure. In practice, an attacker could leverage a misconfigured proxy to piggyback on legitimate requests, gaining access to backend services that rely on those cookies for authentication or session state. The risk is compounded in microservice architectures where multiple services trust upstream cookies, potentially widening the blast radius beyond a single service boundary. The vulnerability manifests in NestJS projects that rely on the nestjs-proxy library (and its variants) to transparently forward requests to backend services. Prior to version 0.7.0 of @finastra/nestjs-proxy, there was no strict and default cookie-blocking mechanism, so cookies from incoming client requests could be propagated to downstream targets. The problem was addressed in 0.7.0 by blocking cookies from being forwarded by default, with an opt-in allow-list via the allowedCookies configuration. However, users still running the deprecated @ffdc/nestjs-proxy or older forks were exposed to this risk until they migrated. This remediation guide focuses on upgrading and properly configuring the proxy to prevent leakage, referencing CVE-2022-31070 and the associated mitigation path. To remediate in a NestJS (TypeScript) application, upgrade to the patched proxy library, and explicitly configure an allow-list of cookies to be forwarded. Ensure internal proxies do not forward authentication/session cookies unless explicitly required by the downstream service. Validate cookie handling in tests, and review all places where the proxy is configured to ensure no unsafe defaults are in place. After upgrading and configuring allowedCookies, conduct targeted tests with sensitive cookies present and absent to verify that only permitted cookies reach backend services. This aligns with the CVE-2022-31070 mitigation path and reduces exposure as described under CWE-200. In addition to code changes, audit your dependency graph to remove deprecated @ffdc/nestjs-proxy usage and update documentation and CI pipelines to enforce allowedCookies as a standard practice when using nestjs-proxy forks.