Broken Function Level Authorization in NestJS [Mar 2026] [CVE-2022-31069]

Broken Function Level Authorization (BFLA) in NestJS can occur when a proxy layer forwards user-supplied headers, including Authorization, to downstream services without filtering which service should receive them. CVE-2022-31069 documents this risk in the nestjs-proxy library, where pre-patch deployments could expose OAuth bearer access tokens to internal or external services that should not see them. This exposure can enable token theft, unauthorized API access, or token leakage across service boundaries. In a typical NestJS microservice architecture, requests pass through a proxy to multiple backends. If the proxy forwards the Authorization header to every configured backend, an attacker or compromised service may leverage a token to access protected resources in services that should not be visible to that token, effectively bypassing access controls. Remediation and patch: The vulnerability was fixed by introducing per-service forwardToken configuration in the patched library. Upgrading to @finastra/nestjs-proxy >= 0.7.0 (and migrating away from @ffdc/nestjs-proxy) allows developers to opt out of forwarding Authorization headers on a per-service basis, reducing token exposure. After upgrading, review the library README for applying forwardToken for each backend. Best practices: implement least privilege for tokens, restrict which services receive tokens, and add tests to ensure sensitive headers are not proxied to nonessential backends. Regularly audit dependencies and perform token leakage tests as part of your security regression suite.