GHSA-9r25-rp3p-h2w4

Source

https://github.com/advisories/GHSA-9r25-rp3p-h2w4

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-9r25-rp3p-h2w4/GHSA-9r25-rp3p-h2w4.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-9r25-rp3p-h2w4

Aliases

CVE-2025-32020

Published

2025-04-09T12:57:13Z

Modified

2025-04-09T13:42:21.679410Z

Severity

8.6 (High) CVSS_V4 - CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

crud-query-parser SQL Injection vulnerability

Details

Impact

Improper neutralization of the order/sort parameter in the TypeORM adapter, which allows SQL injection.

You are impacted by this vulnerability if you are using the TypeORM adapter, ordering is enabled and you have not set-up a property filter.

Versions 0.0.1, 0.0.2 and 0.0.3 are affected by this vulnerability.

Patches

This vulnerability has been fixed in version 0.1.0 and newer, which introduces TypeORM field validation (enabled by default).

Workarounds

Add an allowlist of fields

List all valid fields and use the filterProperties function to filter out invalid fields before passing the crudRequest to the TypeOrmQueryAdapter. Here's an example:

crudRequest = filterProperties(crudRequest, ['id', 'title', 'category.name']);

Disable ordering

Cleanup the order field just before passing it to the TypeOrmQueryAdapter. Here's an example:

crudRequest.order = [];

Database specific

{
    "severity": "HIGH",
    "nvd_published_at": "2025-04-08T15:15:50Z",
    "github_reviewed_at": "2025-04-09T12:57:13Z",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-89"
    ]
}

References

Affected packages

npm / crud-query-parser

Package

Name: crud-query-parser; View open source insights on deps.dev
Purl: pkg:npm/crud-query-parser

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.1.0