CVE-2022-33171: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

July 4, 2022 (updated November 7, 2023)

The findOne function in TypeORM before 0.3.0 can either be supplied with a string or a FindOneOptions object. When input to the function is a user-controlled parsed JSON object, supplying a crafted FindOneOptions instead of an id string leads to SQL injection. NOTE: the vendor’s position is that the user’s application is responsible for input validation

References

packetstormsecurity.com/files/168096/TypeORM-0.3.7-Information-Disclosure.html
seclists.org/fulldisclosure/2022/Aug/7
github.com/typeorm/typeorm/compare/0.2.45...0.3.0
nvd.nist.gov/vuln/detail/CVE-2022-33171
seclists.org/fulldisclosure/2022/Jun/51

Code Behaviors & Features

Detect and mitigate CVE-2022-33171 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →