GHSA-q2pj-6v73-8rgj
Suggest an improvement- Source
- https://github.com/advisories/GHSA-q2pj-6v73-8rgj
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-q2pj-6v73-8rgj/GHSA-q2pj-6v73-8rgj.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-q2pj-6v73-8rgj
- Aliases
- Related
- Published
- 2025-10-29T18:30:33Z
- Modified
- 2026-02-04T03:52:19.001983Z
- Severity
-
- 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
- 8.9 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:L/SC:L/SI:H/SA:L/E:P CVSS Calculator
- Summary
- TypeORM vulnerable to SQL injection via crafted request to repository.save or repository.update
- Details
-
Summary
SQL Injection vulnerability in TypeORM before 0.3.26 via crafted request to repository.save or repository.update due to the sqlstring call using stringifyObjects default to false.
Details
Vulnerable Code:
const { username, city, name} = req.body; const updateData = { username, city, name, id:userId }; // Developer aims to only allow above three fields to be updated const result = await userRepo.save(updateData);Intended Payload (non-malicious):
username=myusername&city=Riga&name=JavadOR
{username:\"myusername\",phone:12345,name:\"Javad\"}SQL query produced:
UPDATE `user` SET `username` = 'myusername', `city` = 'Riga', `name` = 'Javad' WHERE `id` IN (1);Malicious Payload:
username=myusername&city[name]=Riga&city[role]=adminOR
{username:\"myusername\",city:{name:\"Javad\",role:\"admin\"}}SQL query produced with Injected Column:
UPDATE `user` SET `username` = 'myusername', `city` = `name` = 'Javad', `role` = 'admin' WHERE `id` IN (1);Above query is valid as
city=name=Javadis a boolean expression resulting incity= 1 (false). “role” column is injected and updated.Underlying issue was due to TypeORM using mysql2 without specifying a value for the stringifyObjects option. In both mysql and mysql2 this option defaults to false. This option is then passed into SQLString library as false. This results in sqlstring parsing objects in a strange way using objectToValues.
- Database specific
{ "nvd_published_at": "2025-10-29T16:15:34Z", "cwe_ids": [ "CWE-89" ], "github_reviewed_at": "2025-10-31T17:38:00Z", "severity": "HIGH", "github_reviewed": true }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2025-60542
- https://github.com/typeorm/typeorm/pull/11574
- https://github.com/typeorm/typeorm/commit/d57fe3bd8578b0b8f9847647fd046bccf825a7ef
- https://github.com/mysqljs/sqlstring/blob/cd528556b4b6bcf300c3db515026935dedf7cfa1/lib/SqlString.js#L54
- https://github.com/sidorares/node-mysql2/blob/e359f454a76ba5dc31b91adf7bdb4099ca317bb5/lib/base/connection.js#L524
- https://github.com/sidorares/node-mysql2/blob/e359f454a76ba5dc31b91adf7bdb4099ca317bb5/lib/connection_config.js#L124
- https://github.com/typeorm/typeorm/blob/0.3.25/src/driver/mysql/MysqlConnectionOptions.ts
- https://github.com/typeorm/typeorm/releases/tag/0.3.26
- https://github.com/typeorm/typeorm/releases?q=security&expanded=true
- https://medium.com/@alizada.cavad/cve-2025-60542-typeorm-mysql-sqli-0-3-25-a1b32bc60453
- http://github.com/typeorm/typeorm
Affected packages
npm / typeorm
Package
- Name
- typeorm
- View open source insights on deps.dev
- Purl
- pkg:npm/typeorm