Injection

Injection in NestJS: Cookie Forwarding (CVE-2022-31070) [CVE-2022-31070]

[Updated Sep 2023] Updated CVE-2022-31070

Overview

The CVE-2022-31070 vulnerability concerns the NestJS Proxy module, where prior to version 0.7.0 cookies (including sensitive session cookies) could be forwarded to backend services configured by the application. This could expose confidential data to downstream services that should not have access to those cookies, enabling information disclosure (CWE-200). The patched version blocks cookies from being forwarded by default, reducing unintended exposure. However, developers can still opt-in to forwarding by whitelisting specific cookie names with the allowedCookies config setting. This remediation guide anchors on the CVE details and explains how this vulnerability manifests in real NestJS code, how it could be exploited in practice, and the concrete steps to fix it by upgrading to the patched library and configuring cookie handling in NestJS projects.

Affected Versions

< 0.7.0 of @finastra/nestjs-proxy (formerly @ffdc/nestjs-proxy)

Code Fix Example

NestJS API Security Remediation 
// Vulnerable pattern (cookie forwarding enabled by default)
import { Module } from '@nestjs/common';
import { NestFactory } from '@nestjs/core';
import { ProxyModule as FallbackProxyModule } from '@ffdc/nestjs-proxy';

@Module({
  imports: [
    FallbackProxyModule.register({
      backendBaseUrl: 'https://backend.internal',
      // No cookie filtering configured -> cookies may be forwarded
    }),
  ],
})
export class VulnerableAppModule {}

export async function bootstrapVulnerable() {
  const app = await NestFactory.create(VulnerableAppModule);
  await app.listen(3000);
}

// Fixed pattern (cookies blocked by default, optionally whitelisted)
import { Module } from '@nestjs/common';
import { NestFactory } from '@nestjs/core';
import { ProxyModule as FinastraProxyModule } from '@finastra/nestjs-proxy';

@Module({
  imports: [
    FinastraProxyModule.register({
      backendBaseUrl: 'https://backend.internal',
      allowedCookies: [], // explicitly block all cookies by default
      // or: allowedCookies: ['SESSION', 'XSRF-TOKEN'] to whitelist
    }),
  ],
})
export class FixedAppModule {}

export async function bootstrapFixed() {
  const app = await NestFactory.create(FixedAppModule);
  await app.listen(3001);
}

CVE References

More NestJS API Security Remediation Guides

View all →

Manage cookie preferences

Choose which optional cookies to allow. You can change this any time.