SQL Injection The advisory has been revoked - it doesn't affect any version of package typeorm Open this link in a new tab
Threat Intelligence
Exploit Maturity
Proof of concept
EPSS
0.28% (69th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-TYPEORM-2940870
- published 5 Jul 2022
- disclosed 5 Jul 2022
- credit Unknown
Introduced: 5 Jul 2022
CVE-2022-33171 Open this link in a new tabAmendment
This was deemed not a vulnerability.
Overview
typeorm is an ORM that can run in NodeJS, Browser, Cordova, PhoneGap, Ionic, React Native, NativeScript, Expo, and Electron platforms and can be used with TypeScript and JavaScript (ES5, ES6, ES7, ES8).
Affected versions of this package are vulnerable to SQL Injection in the findOne(id)
and findOneOrFail(id)
functions, when it is passed a malicious FindOneOptions JSON object.
NOTE: The vendor does not consider this a vulnerability since user input should be validated elsewhere.
PoC:
curl -v [http://host/findByIds](http://containerip:4444/findByIds)' -H 'Content-Type: application/json' --data
'[{"where":"1=1; SELECT pg_sleep(10) --"}]'