CVE-2025-32020

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2025-32020
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-32020.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-32020
Aliases
Published
2025-04-08T15:05:26.333Z
Modified
2025-12-05T08:54:37.266856Z
Severity
  • 9.3 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in crud-query-parser
Details

The crud-query-parser library parses query parameters from HTTP requests and converts them to database queries. Improper neutralization of the order/sort parameter in the TypeORM adapter, which allows SQL injection. You are impacted by this vulnerability if you are using the TypeORM adapter, ordering is enabled and you have not set-up a property filter. This vulnerability is fixed in 0.1.0.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/32xxx/CVE-2025-32020.json",
    "cwe_ids": [
        "CWE-89"
    ],
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/guichaguri/crud-query-parser

Affected ranges

Type
GIT
Repo
https://github.com/guichaguri/crud-query-parser
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
4dbc1bd6bfbd83c79a35884a9d53c03025d5758e
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.1.0"
        }
    ]
}