Cyber Resilience

CVE-2022-33171

CriticalPublic PoC

Published: 04 July 2022

Published
04 July 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0530 90.2th percentile
Risk Priority 23 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-33171 is a critical-severity SQL Injection (CWE-89) vulnerability in Typeorm Typeorm. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 9.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

The vulnerability is a SQL injection flaw (CWE-89) in the findOne function of TypeORM versions before 0.3.0. The function accepts either a string identifier or a FindOneOptions object; when an application passes a user-controlled parsed JSON object directly to the function, an attacker can supply a malicious FindOneOptions value instead of a simple ID string, causing the ORM to construct and execute attacker-controlled SQL.

An unauthenticated remote attacker can exploit the issue over the network by submitting crafted JSON input to any application endpoint that forwards such data into findOne without additional sanitization. Successful exploitation yields full read/write access to the underlying database, enabling data exfiltration, modification, or deletion and producing the maximum CVSS 3.1 score of 9.8.

Public disclosures on Seclists and Packet Storm reference information-disclosure PoCs against TypeORM 0.3.7 and note the upstream change between 0.2.45 and 0.3.0; the project maintainers state that input validation remains the calling application’s responsibility. The associated EPSS score has remained low, reaching a peak of only 0.0599.

EU & UK References

Vulnerability details

The findOne function in TypeORM before 0.3.0 can either be supplied with a string or a FindOneOptions object. When input to the function is a user-controlled parsed JSON object, supplying a crafted FindOneOptions instead of an id string leads to…

more

SQL injection. NOTE: the vendor's position is that the user's application is responsible for input validation

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

typeorm
typeorm
≤ 0.3.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-89

Penetration testing uses SQL injection payloads against database interfaces, identifying and supporting fixes for SQL injection weaknesses.

addresses: CWE-89

Validates query inputs to prevent SQL syntax or command manipulation.

References