Sensitive Data Exposure in NestJS Proxy (CVE-2022-31070) [CVE-2022-31070]

CVE-2022-31070 describes a sensitive data exposure risk in the NestJS Proxy ecosystem where cookies, including session cookies, could be forwarded from the client to backend services configured by the application. Before the fix, nestjs-proxy integrations lacked a reliable mechanism to block or filter sensitive cookies from being sent to downstream services, which could lead to session hijacking or leakage of user authentication data. This class of exposure is CWE-200, and it affects configurations that did not explicitly restrict cookie forwarding. The patch introduced in version 0.7.0 of @finastra/nestjs-proxy blocks cookies from being forwarded by default and adds an allow-list via the allowedCookies config setting. This mitigates the risk while still permitting essential cookies to flow when explicitly permitted. Users of the deprecated @ffdc/nestjs-proxy should migrate to @finastra/nestjs-proxy as it is no longer maintained. This guidance maps the vulnerability to real world NestJS TypeScript usage and provides concrete steps to upgrade and implement the allow-list approach. It emphasizes upgrading to the patched package, removing reliance on deprecated packages, and adjusting code to explicitly authorize cookie names that may be forwarded to backend services. The guidance also highlights the importance of validating the proxy configuration in dev and CI to prevent regressions that could reintroduce cookie exposure through misconfiguration. Finally, it suggests testing cookie handling behavior under common user flows and with representative test data to verify that only approved cookies are propagated downstream. By adopting the recommended fix patterns and maintaining explicit cookie allow-lists, teams reduce the risk of exposing sensitive data through proxy calls in NestJS applications and align with CVE-2022-31070 remediation guidance for CWE-200.