Overview
Security Misconfiguration in NestJS can arise when using proxy/decorator libraries that inadvertently forward client cookies to downstream services. CVE-2022-31070 describes a scenario where the nestjs-proxy integration allowed sensitive cookies, such as session cookies, to be automatically forwarded to backend services configured by the application, potentially exposing them to services that should not see them. This class of vulnerability is particularly risky in microservices or API gateway setups where a single frontend orchestrates calls to multiple internal services, increasing the attack surface for credential leakage and session hijacking. The issue was mitigated by patching the library so cookies are blocked from forwarding by default and can be explicitly allowed via configuration, reducing unintended cookie exposure to backend dependencies.
Affected Versions
@finastra/nestjs-proxy: <0.7.0; @ffdc/nestjs-proxy: deprecated (no longer maintained); fixed in @finastra/nestjs-proxy >=0.7.0
Code Fix Example
NestJS API Security Remediation
/* Vulnerable (pre-0.7.0 behavior) - cookies forwarded by default to downstream services */
import { Module } from '@nestjs/common';
import { ProxyModule } from '@ffdc/nestjs-proxy'; // deprecated pre-patch package
@Module({
imports: [
ProxyModule.forRoot({
backendUrl: 'https://downstream-service.local',
// No explicit cookie control; all cookies are forwarded by default
}),
],
})
export class AppModule {}
/* Fixed (0.7.0+ behavior) - explicit allow-list to control cookies */
import { Module } from '@nestjs/common';
import { ProxyModule } from '@finastra/nestjs-proxy';
@Module({
imports: [
ProxyModule.forRoot({
backendUrl: 'https://downstream-service.local',
// Block all cookies by default and only forward whitelisted ones
allowedCookies: ['session_id', 'auth_token']
}),
],
})
export class AppModule {}