## https://sploitus.com/exploit?id=395D529A-84BB-5413-96BA-84BB2470F460
# CVE-2022-33171: TypeORM SQL Injection
## Note: This is a work-in-progress analysis of CVE-2022-33171. The details provided here may be updated as further information becomes available.currently not working
## Vulnerability Details
**CVE ID:** CVE-2022-33171
**Product:** TypeORM
**Affected Versions:** < 0.3.0
**Vulnerability Type:** SQL Injection
**Date Disclosed:** June 28, 2022
## Description
The `findOne(id)` and `findOneOrFail(id)` functions in TypeORM before version 0.3.0 can be supplied with either a string or a `FindOneOptions` object. When the input to this function is a user-controlled parsed JSON object, supplying a crafted `FindOneOptions` instead of an id string leads to SQL injection.
### Root Cause
The vulnerability exists because:
1. The `findOne()` function accepts flexible input types (string or FindOneOptions object)
2. When user input is parsed as JSON and passed directly to the function, an attacker can supply a malicious FindOneOptions object
3. The resulting SQL query incorporates the attacker-controlled object properties without proper sanitization
### Maintainer's Response
The TypeORM maintainers stated that the root cause is insufficient input validation on the application side, not the library itself. However, this function is explicitly designed to accept user input, making the argument defensible that the library should handle this safely.
## Impact
- **Severity:** High
- **SQL Injection:** Attackers can execute arbitrary SQL queries
- **Data Exfiltration:** Unauthorized access to sensitive data
- **Data Manipulation:** Potential modification or deletion of data
- **Denial of Service:** Database resource exhaustion via expensive queries
## Fix
**Upgrade to TypeORM 0.3.0 or later**, which includes fixes for this vulnerability.
## Timeline
- **June 28, 2022:** Vulnerability disclosed on Full Disclosure mailing list
- **Before 0.3.0:** Vulnerability existed
- **0.3.0+:** Vulnerability fixed by TypeORM maintainers
### References
- [CVE-2022-33171](https://www.cvedetails.com/cve/CVE-2022-33171/)
- [Seclists](https://seclists.org/fulldisclosure/2022/Aug/7)