Sensitive Data Exposure and NestJS CVE-2022-31069 [CVE-2022-31069]

Sensitive data exposure can occur when a NestJS proxy forwards Authorization headers to multiple backends without a per-service control. In CVE-2022-31069, prior to version 0.7.0 of the nestjs-proxy library, there was no reliable way to opt out of forwarding OAuth bearer tokens to all configured services. As a result, tokens could be inadvertently exposed to downstream services that should not have access, enabling token theft, session hijacking, or abuse of protected resources (CWE-200). This underscores the real-world risk of broad token propagation in microservice architectures where a single authenticated user interacts with multiple internal services via a proxy. The CVE highlights the need for strict boundaries around sensitive credentials and proper scoping of access. The vulnerability manifests when a NestJS application wires a proxy that forwards headers to every configured backend by default. Attackers or misconfigurations can leverage this behavior to capture tokens in logs or through service interactions that do not require user credentials. The fix was introduced in the patched release, which provides a forwardToken setting to opt out on a per-service basis, enabling developers to limit token exposure to only the services that legitimately require it (refer to the project README on GitHub or NPM). Note that the older @ffdc/nestjs-proxy package is deprecated and should be replaced with @finastra/nestjs-proxy to receive security updates. This remediation aligns with CWE-200 guidance on avoiding exposure of sensitive information.