CVE-2020-8158

Vulnerability

Description

CVE-2020-8158 is a prototype pollution vulnerability in the TypeORM object-relational mapping library for TypeScript and JavaScript. The flaw exists in versions prior to 0.2.25, where insufficient input validation allows an attacker to inject properties into an object's prototype chain using a crafted payload. Prototype pollution occurs when user-controlled data is merged or assigned into an object without proper sanitization, enabling the attacker to alter the behavior of all objects of that type [1].

Exploitation

An attacker can exploit this vulnerability by sending specially crafted input that, when processed by TypeORM's query building or object parsing functions, pollutes the Object prototype. This does not require authenticated access if the application exposes endpoints that handle unsanitized user input through affected TypeORM methods. The attack surface includes any application that uses TypeORM for database operations and accepts JSON or other structured data from users [1].

Impact

Successful exploit allows the attacker to add or modify properties on all objects, leading to denial of service (e.g., by overriding critical properties that cause crashes) or SQL injection (by altering property values that are interpolated into SQL queries without proper escaping). The severity is elevated because prototype pollution can propagate across the entire application's object model, potentially affecting security-sensitive operations [1].

Mitigation

TypeORM released version 0.2.25, which patches the vulnerability by properly sanitizing inputs to prevent prototype pollution. Users are strongly advised to upgrade to the latest version. No workaround is documented; upgrading is the only reliable mitigation. The issue was reported via HackerOne and is publicly disclosed, increasing the risk of exploitation if unpatched instances remain in production [1].