1
vulnerabilities:
2
  # Typescript / typeorm
3
  - id: CVE-2022-33171
4
    paths:
5
      - "app/node_modules/typeorm/package.json"
6
    statement: |
7
      This vulnerability in TypeORM's findOne / findOneOrFail functions can improperly interpret a crafted JSON object
8
      and concatenate it into raw SQL, potentially allowing SQL injection attacks.
9

10
      In Gitpod’s usage, TypeORM is not exposed to arbitrary user input. For example, DB migrations run preset queries;
11
      the server/bridge code does not hand raw JSON from external sources to findOne. Therefore, there is no path for
12
      injecting malicious JSON into a query, rendering the vulnerability non-exploitable.
13

14