CVE-2022-33171 — SQL injection in typeORM

Description

The findOne function in TypeORM before 0.3.0 can either be supplied with a string or a FindOneOptions object. When input to the function is a user-controlled parsed JSON object, supplying a crafted FindOneOptions instead of an id string leads to SQL injection. NOTE: the vendor's position is that the user's application is responsible for input validation.

How to fix CVE-2022-33171

To remediate CVE-2022-33171, upgrade the affected package to a fixed version below.

—upgrade to 0.3.0 or later

Is CVE-2022-33171 being exploited?

Moderate — EPSS is 5.3%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (1)

from 0, < 0.3.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-33171
WEBpacketstormsecurity.com/files/168096/TypeORM-0.3.7-Information-Disclosure.html
WEBseclists.org/fulldisclosure/2022/Aug/7
WEBgithub.com/typeorm/typeorm/compare/0.2.45...0.3.0