CVE-2022-31069: 
JavaScript vulnerability analysis and mitigation

NestJS Proxy, a NestJS module for decorating and proxying calls, contained a security vulnerability prior to version 0.7.0 (CVE-2022-31069). The vulnerability stemmed from the library's inability to control when Authorization headers should be forwarded for specific backend services configured by application developers (NVD).

The vulnerability existed due to the lack of control mechanisms for Authorization header forwarding in service configurations. This could potentially lead to sensitive information exposure, particularly OAuth bearer access tokens, to unauthorized backend services. The issue was assigned CWE-200 (Information Exposure) classification (NVD CNA Status).

The primary impact of this vulnerability was the potential exposure of sensitive information, specifically OAuth bearer access tokens, to backend services that should not have access to them. This could lead to unauthorized access to protected resources and potential compromise of authentication mechanisms (MITRE CVE).

The issue has been fixed in version 0.7.0 of @finastra/nestjs-proxy. The patch introduced a new feature allowing application developers to opt out of forwarding Authorization headers on a per-service basis using the forwardToken config setting. Users of the deprecated @ffdc/nestjs-proxy package are advised to update their package.json file to use @finastra/nestjs-proxy instead (GitHub Advisory).