Broken Object Property Level Authorization in NestJS Proxy [CVE-2022-31069]

Broken Object Property Level Authorization vulnerabilities in NestJS can arise when using the nestjs-proxy module to route requests to multiple backends without restricting who can see the Authorization header. Prior to version 0.7.0, nestjs-proxy did not provide per-service control to opt out of forwarding tokens, which could lead to sensitive OAuth bearer tokens being exposed to backend services that should not see them. This is the real-world impact described in CVE-2022-31069 and CWE-200 (Information Exposure). In practice, an attacker or misconfiguration can cause the proxy to forward Authorization headers to all configured services. Because tokens were forwarded by default, OAuth tokens could leak to internal services or third-party backends, enabling token theft or session compromise. The CVE notes that the issue has been patched in 0.7.0 with a per-service forwardToken option. To fix, upgrade to @finastra/nestjs-proxy 0.7.0+ and migrate away from the deprecated @ffdc/nestjs-proxy package. Review the README for exact configuration details. Apply forwardToken: true for trusted services and forwardToken: false for untrusted ones so tokens are not leaked. After upgrading, implement tests to verify token headers are not forwarded to unintended services, and document the policy for token forwarding in your security runbooks.