NestJS Injection: CVE-2022-31069 (Proxy) [Month Year] [CVE-2022-31069]

The CVE-2022-31069 vulnerability describes a real-world risk in the NestJS Proxy module where Authorization headers could be forwarded to configured backend services by default. This behavior could cause sensitive OAuth bearer tokens to be exposed to internal or third-party services that should not see them, effectively leaking credentials and enabling token abuse (CWE-200: Exposure of Sensitive Information). Attackers could leverage a misconfigured proxy to exfiltrate tokens by crafting requests that traverse multiple internal services, where each service could reuse the token for subsequent calls. The issue highlights how improper header handling in a proxy layer can transform legitimate inter-service communication into a token leakage channel. The patched behavior in @finastra/nestjs-proxy (0.7.0 and later) introduces a per-service forwardToken option to opt out of forwarding Authorization headers, mitigating the risk described in CVE-2022-31069. CVE-2022-31069 and CWEs (CWE-200) are the focal points of this remediation. For users of the deprecated @ffdc/nestjs-proxy package, the guidance is to migrate to @finastra/nestjs-proxy, as the former is no longer maintained.