NestJS SSRF Cookie Block (CVE-2022-31070) [CVE-2022-31070]

In CVE-2022-31070, the NestJS Proxy (nestjs-proxy) library allowed sensitive cookies, such as session cookies, to be forwarded to backend services configured by the application developer. This created a risk where a server acting as a proxy could inadvertently expose a user’s cookies to internal services or downstream systems, increasing both information disclosure and SSRF-related risk. If an attacker could influence the proxy configuration, or if an attacker could access a proxy endpoint that forwarded cookies unfiltered, they could potentially exfiltrate or reuse cookies in requests to protected resources, undermining authentication and session integrity. The issue maps to CWE-200: Exposure of Sensitive Information through improper handling of authentication data and cookies in a proxy context. The vulnerability existed in earlier versions of the nestjs-proxy integration prior to the patch, and was notably discussed with reference to CVE-2022-31070. This exposure manifested because the proxy forwarded cookies by default, without a strict allow-list, enabling cookies to traverse from the client through the proxy to backend APIs that should not receive them. Attackers could leverage this behavior to piggyback on user sessions or gain access to internal services that relied on cookie-based authentication. The remediation was implemented in the patched version 0.7.0 of @finastra/nestjs-proxy, which blocks cookies from being forwarded by default and introduces an allow-list mechanism via the allowedCookies setting. Developers using the deprecated @ffdc/nestjs-proxy should migrate to @finastra/nestjs-proxy to receive the fix and ongoing maintenance. To safely deploy NestJS proxies in a way that mitigates SSRF and sensitive-data exposure, follow a minimal change path: upgrade to the patched package, replace the legacy import, and explicitly whitelist only the cookies that must be forwarded. This aligns with the CVE guidance and ensures that cookie data is not leaked to arbitrary backend targets, reducing the risk of token leakage and unintended cross-service access.