CVE-2020-8158

CRITICAL LAB

TypeORM <0.2.25 - Prototype Pollution

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2020-8158. PoCs published by open-flaw, dajneem23.

AI-analyzed exploit summary This repository contains a functional proof-of-concept for CVE-2020-8158, demonstrating a prototype pollution vulnerability in TypeORM versions < 0.2.25. It includes a vulnerable application, exploit code, and a patched version, along with Docker configurations for testing against multiple databases.

Description

Prototype pollution vulnerability in the TypeORM package < 0.2.25 may allow attackers to add or modify Object properties leading to further denial of service or SQL injection attacks.

Exploits (2)

nomisec WORKING POC
by open-flaw · poc
https://github.com/open-flaw/CVE-2020-8158

This repository contains a functional proof-of-concept for CVE-2020-8158, demonstrating a prototype pollution vulnerability in TypeORM versions < 0.2.25. It includes a vulnerable application, exploit code, and a patched version, along with Docker configurations for testing against multiple databases.

Classification
Working Poc 95%
Attack Type
Deserialization
Complexity
Moderate
Reliability
Reliable
Target: TypeORM < 0.2.25
No auth needed
Prerequisites: Docker · Node.js · TypeORM < 0.2.25
devstral-2 · analyzed May 19, 2026 Full analysis →
nomisec WORKING POC
by dajneem23 · poc
https://github.com/dajneem23/CVE-2020-8158

This repository contains a functional proof-of-concept for CVE-2020-8158, demonstrating a prototype pollution vulnerability in TypeORM versions < 0.2.25. It includes a vulnerable application, exploit scenarios, and a patched version for comparison.

Classification
Working Poc 95%
Attack Type
Deserialization
Complexity
Moderate
Reliability
Reliable
Target: TypeORM < 0.2.25
No auth needed
Prerequisites: Docker for database setup · Node.js and npm for running the PoC
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (1)

Core 1
Core References
Exploit, Patch, Third Party Advisory x_refsource_misc
https://hackerone.com/reports/869574

Scores

CVSS v3 9.8
EPSS 0.0028
EPSS Percentile 52.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Lab Environment

COMMUNITY
Community Lab
docker pull mongo:5.0

Details

CWE
CWE-1321 CWE-471
Status published
Products (2)
npm/typeorm 0 - 0.2.25npm
typeorm/typeorm < 0.2.25
Published Sep 18, 2020
Tracked Since Feb 18, 2026