Overview
The CVE-2022-31069 vulnerability describes a data exposure risk in the NestJS proxy library (nestjs-proxy) where Authorization headers could be forwarded to downstream or misconfigured backend services by default. This could leak sensitive information such as OAuth bearer access tokens to services that should not see them, enabling token misuse or internal resource abuse and contributing to SSRF-like scenarios when those tokens are used to access internal resources. This is classified under CWE-200 (Information Exposure). The fix was introduced in the patched version 0.7.0 of @finastra/nestjs-proxy, and users of the deprecated @ffdc/nestjs-proxy should migrate to @finastra/nestjs-proxy to receive updates and protection. In real-world NestJS apps, attackers or misconfigurations could cause tokens to be forwarded to unintended targets, enabling token leakage and potential unauthorized access across internal networks.
Affected Versions
@finastra/nestjs-proxy: < 0.7.0; @ffdc/nestjs-proxy: < 0.7.0 (deprecated)
Code Fix Example
NestJS API Security Remediation
// Vulnerable pattern
import { Module } from '@nestjs/common';
import { ProxyModule } from '@finastra/nestjs-proxy';
@Module({
imports: [
ProxyModule.forRoot({
proxies: [
{ name: 'internal', url: 'http://internal-service', forwardToken: true } // vulnerable: forwards Authorization header
]
})
]
})
export class AppModule {}
// Fixed pattern
import { Module } from '@nestjs/common';
import { ProxyModule } from '@finastra/nestjs-proxy';
@Module({
imports: [
ProxyModule.forRoot({
proxies: [
{ name: 'internal', url: 'http://internal-service', forwardToken: false }
]
})
]
})
export class AppModuleFixed {}