CVE-2022-31070: Potential Sensitive Cookie Exposure in NPM Packages @finastra/nestjs-proxy, @ffdc/nestjs-proxy
5.8
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.43289%
CWE
Published
6/17/2022
Updated
1/27/2023
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
@finastra/nestjs-proxy | npm | < 0.7.0 | 0.7.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from uncontrolled cookie forwarding in proxy middleware. The core issue would exist in the proxy request handling function
that manages header transmission to backend services. The patch introduced cookie filtering via allowedCookies
, indicating the original implementation lacked this security control. The createProxyMiddleware
is a standard NestJS proxy implementation point where cookie headers would be processed, making it the most likely vulnerable function
. Confidence is high due to: 1) The nature of the vulnerability requiring request proxying logic 2) Standard proxy implementation patterns in NestJS 3) The patch's focus on cookie filtering at the proxy level