CVE-2022-33171

The vulnerability resides in the findOne function of TypeORM versions prior to 0.3.0. According to the official description [2], this function can accept either a string identifier or a FindOneOptions object. When the input is a user-controlled parsed JSON object, an attacker can supply a crafted FindOneOptions instead of a plain string, leading to SQL injection. The root cause is that the library does not sufficiently validate or sanitize the type of input when a JSON object is provided, allowing arbitrary database queries to be constructed.

Exploitation does not require authentication if the application exposes the findOne function to user-supplied JSON. An attacker with network access to an endpoint that passes unsanitized user input to findOne can inject SQL operators or conditions within the FindOneOptions object. The attack surface is broad because many web applications using TypeORM rely on this API to look up records based on user input.

The impact of successful exploitation is high, as an attacker can execute arbitrary SQL commands against the database backend. This could lead to unauthorized data access, data modification, or complete database compromise. The SQL injection is direct and does not require complex chaining, making it a significant threat.

The project addressed this issue in version 0.3.0, as indicated by the changelog and commits [1]. Users are strongly advised to upgrade to 0.3.0 or later. The vendor notes that the user's application is responsible for input validation [2], but the library's change in behavior (removing the acceptance of arbitrary objects) provides a defense-in-depth fix.