CVE-2020-8158
Prototype Pollution vulnerability in typeorm (npm)

Prototype Pollution No known exploit

What is CVE-2020-8158 About?

The TypeORM package before 0.2.25 is vulnerable to prototype pollution, which allows attackers to add or modify properties of the Object prototype. This can lead to severe consequences, including denial of service or SQL injection attacks. Exploitation is relatively easy if an application processes untrusted input that can manipulate object prototypes.

Affected Software

typeorm <0.2.25

Technical Details

The TypeORM package, specifically versions prior to 0.2.25, is susceptible to a prototype pollution vulnerability. This occurs when an attacker can inject properties into the Object.prototype through specific methods or deserialization processes within the TypeORM library. By adding or modifying properties on the global Object.prototype, these properties become accessible to all objects in the JavaScript application via prototype chain inheritance. An attacker can leverage this to manipulate application logic, tamper with data, or even inject malicious code. Depending on how TypeORM is used, this could lead to a denial of service (e.g., by breaking core functionalities) or enable SQL injection attacks by modifying properties involved in query construction or data validation.

What is the Impact of CVE-2020-8158?

Successful exploitation may allow attackers to achieve denial of service, SQL injection, or potentially arbitrary code execution by altering the behavior of core JavaScript objects.

What is the Exploitability of CVE-2020-8158?

Exploitation of this vulnerability is of medium complexity, typically requiring the attacker to provide carefully crafted input to an application that uses the vulnerable TypeORM package. This input, when processed by TypeORM, would trigger the prototype pollution. Authentication requirements vary based on where the vulnerable input processing occurs; if it's in an unauthenticated endpoint, remote exploitation without authentication is possible. The attacker generally does not need elevated privileges to trigger the pollution but could achieve higher impact after successful exploitation. This is typically a remote vulnerability, but local conditions might be required for certain attack vectors. A key risk factor is an application accepting and processing untrusted, complex object structures from user input without proper sanitization or validation.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for CVE-2020-8158?

Available Upgrade Options

  • typeorm
    • <0.2.25 → Upgrade to 0.2.25

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2020-8158?

Similar Vulnerabilities: CVE-2020-28477 , CVE-2020-7694 , CVE-2019-10744 , CVE-2022-24903 , CVE-2021-23382

All Rights reserved 2025
Privacy Policy