CVE-2022-33171

Name of the Vulnerable Software and Affected Versions TypeORM versions prior to 0.3.0

Description The findOne function in TypeORM can be supplied with either a string or a FindOneOptions object. When the input to the function is a user-controlled parsed JSON object, supplying a crafted FindOneOptions instead of an id string leads to SQL injection. The vendor's position is that the user's application is responsible for input validation.

Recommendations For TypeORM versions prior to 0.3.0, ensure that the input to the findOne function is properly validated to prevent SQL injection. As a temporary workaround, consider validating the input to ensure it is a string or a properly formatted FindOneOptions object before passing it to the findOne function. At the moment, there is no information about a newer version that contains a fix for this vulnerability.