Security Misconfiguration

Security Misconfiguration in NestJS - Token Forwarding [CVE-2022-31069]

[Fixed 2022-07] Updated CVE-2022-31069

Overview

CVE-2022-31069 describes a security misconfiguration in the NestJS proxy integration where Authorization headers could be forwarded to downstream services without discrimination. In real deployments, a gateway using nestjs-proxy to route requests to multiple internal services could inadvertently leak OAuth bearer access tokens to services that should not see them. This class of vulnerability maps to CWE-200 (Information Exposure) and can enable token theft, session hijacking, or abuse of downstream trust relationships when tokens are observed by unintended components. The patched behavior in the updated package adds a per-service control to opt out of forwarding Authorization headers, significantly reducing token exposure risk during cross-service calls. This fix targets the core exposure by letting developers explicitly disable token forwarding for sensitive internal endpoints. The CVE highlights the risk that existed before the 0.7.0 release of @finastra/nestjs-proxy, and also notes that the older @ffdc/nestjs-proxy package is deprecated and should not be used going forward.

Affected Versions

@finastra/nestjs-proxy: prior to 0.7.0 vulnerable; patched in 0.7.0. @ffdc/nestjs-proxy: deprecated; migrate to @finastra/nestjs-proxy.

Code Fix Example

NestJS API Security Remediation 
Vulnerable pattern (no per-service control, Authorization header forwarded by default):
import { Module } from '@nestjs/common';
import { NestjsProxyModule } from '@finastra/nestjs-proxy';

@Module({
  imports: [
    NestjsProxyModule.forRoot({
      targets: [
        { name: 'serviceA', url: 'https://service-a.internal' },
        { name: 'serviceB', url: 'https://service-b.internal' }
      ]
    })
  ],
})
export class AppModule {}

Fixed pattern (per-service token forwarding control added):
import { Module } from '@nestjs/common';
import { NestjsProxyModule } from '@finastra/nestjs-proxy';

@Module({
  imports: [
    NestjsProxyModule.forRoot({
      targets: [
        { name: 'serviceA', url: 'https://service-a.internal', forwardToken: false },
        { name: 'serviceB', url: 'https://service-b.internal', forwardToken: false } // explicitly disable forwarding for internal services
      ]
    })
  ],
})
export class AppModule {}

Note: If a downstream service truly requires a forwarded token, set forwardToken: true for that specific target, and keep it disabled for others to minimize exposure.

CVE References

More NestJS API Security Remediation Guides

View all →

Manage cookie preferences

Choose which optional cookies to allow. You can change this any time.