Unrestricted Resource Consumption in NestJS - Proxy Cookie [CVE-2022-31070]

CVE-2022-31070 describes a vulnerability in the nestjs-proxy integration where cookies could be forwarded to downstream backend services without restriction, exposing sensitive information such as session or auth cookies. This leakage is a form of CWE-200: Exposure of Sensitive Information, and it can be abused by an attacker to hijack sessions or map user activity across services. Although primarily about cookie handling, the exposed information can also trigger indirect resource or operational risks as downstream services log, audit, or misuse cookie data. In real NestJS deployments, proxy components decorate and proxy calls between services. Before version 0.7.0 of the finastra package (and the deprecated ff dc variant), cookies were forwarded by default, which could allow backend services to see cookies that should never be exposed to them. Attackers or misconfigurations could intentionally or accidentally cause sensitive tokens to travel to untrusted endpoints, increasing the blast radius of a compromised service. The patch to 0.7.0 blocks cookies from being forwarded by default and introduces an allow-list named allowedCookies. By explicitly whitelisting cookie names, developers can prevent leakage while still enabling needed cookies to flow to authorized backend services. Upgrading and configuring allowedCookies is the recommended mitigation path. In addition to upgrading, implement testing and monitoring: verify cookie headers are not sent to unintended targets, review dependencies for deprecated packages, and add integration tests that assert only whitelisted cookies are proxied. This aligns with NestJS best practices for secure proxy usage.