CVE-2022-31070 is a vulnerability classified under CWE-200, indicating exposure of sensitive information to unauthorized actors. It affects the Finastra Node.js library package `@finastra/nestjs-proxy`, specifically versions prior to 0.7.0. This package is a NestJS module designed to decorate and proxy calls to backend services. The vulnerability arises because, before version 0.7.0, the library did not implement any mechanism to block sensitive cookies, such as session cookies, from being forwarded to backend services. Consequently, these sensitive cookies could be inadvertently exposed to backend services that should not have access to them, potentially allowing unauthorized actors who control or compromise those backend services to hijack sessions or gain unauthorized access. The issue was addressed in version 0.7.0 by introducing a default behavior that blocks cookies from being forwarded. Developers can override this behavior by specifying an allow-list of cookie names via the `allowedCookies` configuration setting, which should be used cautiously. Additionally, users of the deprecated package `@ffdc/nestjs-proxy` are advised to migrate to `@finastra/nestjs-proxy` since the former is no longer maintained or updated. There are no known exploits in the wild reported for this vulnerability, and no CVSS score has been assigned. The vulnerability primarily impacts confidentiality by exposing sensitive session information, but it does not directly affect integrity or availability. Exploitation requires the application to use an affected version of the library and proxy calls to backend services that should not receive sensitive cookies. No authentication or user interaction is explicitly required for exploitation, but the attacker would need access to the backend services receiving the cookies or the ability to intercept such traffic.

For European organizations, this vulnerability poses a risk of unauthorized disclosure of sensitive session cookies, which can lead to session hijacking or unauthorized access to protected resources. Organizations using Finastra's Node.js libraries in their web applications or middleware that proxy requests to backend services are at risk if they have not updated to version 0.7.0 or later. The exposure of session cookies can compromise user confidentiality and trust, potentially leading to data breaches involving personal data protected under GDPR. Financial institutions and other sectors relying on Finastra's software components may face regulatory and reputational damage if sensitive information is leaked. The impact is heightened in environments where backend services are managed by third parties or have weaker security controls, increasing the likelihood that exposed cookies could be intercepted or misused. However, since exploitation requires specific application configurations and no widespread exploits are reported, the immediate risk is moderate but should not be underestimated, especially in critical sectors such as banking, insurance, and financial services prevalent in Europe.

1. Immediate upgrade to `@finastra/nestjs-proxy` version 0.7.0 or later to ensure the default blocking of sensitive cookies is enforced. 2. Audit existing applications to identify usage of the deprecated `@ffdc/nestjs-proxy` package and migrate to the maintained `@finastra/nestjs-proxy` package. 3. Review and minimize the `allowedCookies` configuration to only include cookies that are absolutely necessary to forward, avoiding broad allow-lists that could reintroduce exposure risks. 4. Implement strict backend service access controls and network segmentation to limit exposure of proxied requests and cookies to only trusted services. 5. Conduct security reviews and penetration testing focused on cookie handling and proxy configurations to detect inadvertent leakage. 6. Monitor logs and network traffic for unusual access patterns or unauthorized use of session cookies. 7. Educate developers on secure cookie handling practices, emphasizing the risks of forwarding sensitive cookies to backend services. 8. For organizations using Finastra products, coordinate with vendors to ensure timely updates and patches are applied across all affected systems.