Unrestricted Resource Consumption in NestJS Token Forwarding [CVE-2022-31069]

Paragraph 1: In real-world NestJS deployments, the nestjs-proxy module enables developers to decorate and proxy calls to multiple backend services. CVE-2022-31069 describes a vulnerability where, prior to the patch, forwarding Authorization headers to downstream services could inadvertently leak OAuth bearer tokens to services that should not have access to them. This could enable token theft or unauthorized actions across services, particularly in multi-tenant or service-mesh architectures where tokens are meant to be scoped narrowly. The issue prompts a re-evaluation of how and where credentials are forwarded in a distributed UI/backend proxy setup.\n\nParagraph 2: The exposure occurs when a proxy layer forwards the Authorization header to all configured downstream endpoints without a per-service control. An attacker or misconfigured app could observe or reuse leaked tokens, potentially leading to unauthorized access and wasted resources as token-protected operations are invoked across services. While not a classic Denial of Service by itself, token leakage can amplify resource consumption via abuse of protected APIs and amplification through compromised services. The CVE references the need for safer token handling in proxy libraries used by NestJS apps.\n\nParagraph 3: Fix guidance - upgrade and enforce per-service token handling. The patched behavior introduces a forwardToken configuration to opt out of forwarding the Authorization header on a per-service basis. Upgrading to @finastra/nestjs-proxy v0.7.0 (and migrating off deprecated @ffdc/nestjs-proxy) is essential. Once upgraded, configure forwardToken: false for services that should not see the token, and only enable forwarding where token usage is intentional. Review the library README for concrete examples and service-specific guidance.\n\nParagraph 4: After upgrading, implement verification and monitoring: a) audit downstream services to confirm tokens are not logged or stored; b) add tests to ensure forwardToken is honored per service; c) document your forwarding policy and update CI checks to prevent regressions; d) keep dependencies up to date to mitigate related risks.