Overview
Broken Object Property Level Authorization vulnerabilities in NestJS can arise when a proxy or intermediary service forwards user cookies to downstream services without strict controls. The CVE-2022-31070 case highlights how the nestjs-proxy module allowed sensitive cookies, such as session cookies, to be forwarded by default to backend destinations. This information exposure (CWE-200) could enable an attacker or compromised downstream service to perform actions on behalf of the user or intercept authorization data used for object property access, effectively enabling unintended access across services. In real-world deployments, this means that cookies carrying identity or session state could be leaked to services that should not see them, undermining object level authorization boundaries between microservices and API gateways.
Affected Versions
@finastra/nestjs-proxy < 0.7.0; @ffdc/nestjs-proxy deprecated and unmaintained
Code Fix Example
NestJS API Security Remediation
// Vulnerable pattern (cookies forwarded by default)
import { Module } from '@nestjs/common';
import { NestJsProxyModule } from '@finastra/nestjs-proxy';
@Module({
imports: [
NestJsProxyModule.forRoot({
backendBaseUrl: 'https://downstream-service',
// No explicit cookie policy; cookies may be forwarded by default in older versions
}),
],
})
export class AppModule {}
// Fixed pattern (explicit allow-list of safe cookies)
import { Module } from '@nestjs/common';
import { NestJsProxyModule } from '@finastra/nestjs-proxy';
@Module({
imports: [
NestJsProxyModule.forRoot({
backendBaseUrl: 'https://downstream-service',
allowedCookies: ['SESSION_ID', 'X-Request-Id'] // whitelist safe cookies to forward
}),
],
})
export class AppModule {}