Broken Function Level Authorization - NestJS [Updated 2026-03] [CVE-2022-31070]

CVE-2022-31070 describes a cookie-forwarding flaw in the NestJS proxy ecosystem where, prior to version 0.7.0, the nestjs-proxy module did not block sensitive cookies (such as session cookies) from being forwarded to backend services configured by the application. This could lead to sensitive authentication or session data being exposed to downstream services that should not see them (CWE-200: Information Disclosure). In real deployments, a misconfigured proxy could inadvertently leak user cookies across service boundaries, enabling an attacker or a compromised downstream service to leverage session state or identity tokens across the trust chain. The patch to @finastra/nestjs-proxy 0.7.0 blocks cookies from forwarding by default and adds an allow-list mechanism, which requires explicit configuration to permit certain cookie names. The guidance also notes that @ffdc/nestjs-proxy is deprecated and no longer maintained; migrating to @finastra/nestjs-proxy is essential for ongoing security updates. This vulnerability highlights how function-level abstractions like a proxy layer can inadvertently bypass application-level access controls if cookie data is trusted downstream without proper scoping and filtering. In NestJS contexts, the risk manifests when function-level authorization decisions rely on cookies that are inadvertently propagated to proxied calls across service boundaries. The fix involves upgrading and tightening cookie handling, plus strengthening authorization at the NestJS layer rather than trusting downstream cookie state.