CVE-2022-31069

Name of the Vulnerable Software and Affected Versions @finastra/nestjs-proxy versions prior to 0.7.0 @ffdc/nestjs-proxy (affected versions not specified)

Description The nestjs-proxy library did not have a way to control when Authorization headers should be forwarded for specific backend services configured by the application developer. This could have resulted in sensitive information such as OAuth bearer access tokens being inadvertently exposed to services that should not see them. A new feature has been introduced in the patched version of nestjs-proxy that allows application developers to opt out of forwarding the Authorization headers on a per service basis using the forwardToken config setting.

Recommendations For @finastra/nestjs-proxy versions prior to 0.7.0, update to version 0.7.0 to fix the issue. For @ffdc/nestjs-proxy users, update the package.json file to use @finastra/nestjs-proxy instead, as @ffdc/nestjs-proxy is deprecated and no longer maintained. As a temporary workaround, consider configuring the forwardToken setting to opt out of forwarding Authorization headers for sensitive services until the update is applied.