5.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-31070

GHSA ID

GHSA-77mv-4rg7-r8qv

EPSS Score

0.43289%

CWE

CWE-200

Published

6/17/2022

Updated

1/27/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-31070

CVE-2022-31070: Potential Sensitive Cookie Exposure in NPM Packages @finastra/nestjs-proxy, @ffdc/nestjs-proxy

The nestjs-proxy library did not have a way to block sensitive cookies (e.g. session cookies) from being forwarded to backend services configured by the application developer. This could have led to sensitive cookies being inadvertently exposed to such services that should not see them.

The patched version now blocks cookies from being forwarded by default. However developers can configure an allow-list of cookie names by using the allowedCookies config setting. Further details of this feature can be found in the library's README on Github or NPM.

Patches

This issue has been fixed in version 0.7.0 of @finastra/nestjs-proxy.
Users of @ffdc/nestjs-proxy are advised that this package has been deprecated and is no longer being maintained or receiving updates. Please update your package.json file to use @finastra/nestjs-proxy instead.

References

https://github.com/Finastra/finastra-nodejs-libs/pull/232
https://github.com/Finastra/finastra-nodejs-libs/blob/master/libs/proxy/README.md

(GitHub Advisory)

5.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-31070

GHSA ID

GHSA-77mv-4rg7-r8qv

EPSS Score

0.43289%

CWE

CWE-200

Published

6/17/2022

Updated

1/27/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
@finastra/nestjs-proxy	npm	< 0.7.0	0.7.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from uncontrolled cookie forwarding in proxy middleware. The core issue would exist in the proxy request handling function that manages header transmission to backend services. The patch introduced cookie filtering via allowedCookies, indicating the original implementation lacked this security control. The createProxyMiddleware is a standard NestJS proxy implementation point where cookie headers would be processed, making it the most likely vulnerable function. Confidence is high due to: 1) The nature of the vulnerability requiring request proxying logic 2) Standard proxy implementation patterns in NestJS 3) The patch's focus on cookie filtering at the proxy level

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** n*stjs-proxy li*r*ry *i* not **v* * w*y to *lo*k s*nsitiv* *ooki*s (*.*. s*ssion *ooki*s) *rom **in* *orw*r*** to ***k*n* s*rvi**s *on*i*ur** *y t** *ppli**tion **v*lop*r. T*is *oul* **v* l** to s*nsitiv* *ooki*s **in* in**v*rt*ntly *xpos** to su

Reasoning

T** vuln*r**ility st*ms *rom un*ontroll** *ooki* *orw*r*in* in proxy mi**l*w*r*. T** *or* issu* woul* *xist in t** proxy r*qu*st **n*lin* `*un*tion` t**t m*n***s *****r tr*nsmission to ***k*n* s*rvi**s. T** p*t** intro*u*** *ooki* *ilt*rin* vi* `*llo

5.8

Basic Information

Concerned about an active attack path?

CVE-2022-31070: Potential Sensitive Cookie Exposure in NPM Packages @finastra/nestjs-proxy, @ffdc/nestjs-proxy

Patches

References

5.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI