ghsa-q2pj-6v73-8rgj
Vulnerability from github
Published
2025-10-29 18:30
Modified
2025-10-31 17:38
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
8.9 (High) - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:L/SC:L/SI:H/SA:L/E:P
Summary
TypeORM vulnerable to SQL injection via crafted request to repository.save or repository.update
Details

Summary

SQL Injection vulnerability in TypeORM before 0.3.26 via crafted request to repository.save or repository.update due to the sqlstring call using stringifyObjects default to false.

Details

Vulnerable Code:

js const { username, city, name} = req.body; const updateData = { username, city, name, id:userId }; // Developer aims to only allow above three fields to be updated const result = await userRepo.save(updateData);

Intended Payload (non-malicious):

username=myusername&city=Riga&name=Javad

OR

{username:\"myusername\",phone:12345,name:\"Javad\"}

SQL query produced:

``sql UPDATEuserSETusername= 'myusername',city= 'Riga',name= 'Javad' WHEREid` IN (1);

```

Malicious Payload:

username=myusername&city[name]=Riga&city[role]=admin

OR

{username:\"myusername\",city:{name:\"Javad\",role:\"admin\"}}

SQL query produced with Injected Column:

``sql UPDATEuserSETusername= 'myusername',city=name= 'Javad',role= 'admin' WHEREid` IN (1);

`` _Above query is valid ascity=name=Javadis a boolean expression resulting incity` = 1 (false). “role” column is injected and updated._

Underlying issue was due to TypeORM using mysql2 without specifying a value for the stringifyObjects option. In both mysql and mysql2 this option defaults to false. This option is then passed into SQLString library as false. This results in sqlstring parsing objects in a strange way using objectToValues.

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "typeorm"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.3.26"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-60542"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-89"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-10-31T17:38:00Z",
    "nvd_published_at": "2025-10-29T16:15:34Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n\nSQL Injection vulnerability in TypeORM before 0.3.26 via crafted request to repository.save or repository.update due to the sqlstring call using stringifyObjects default to false.\n\n### Details\n\nVulnerable Code:\n\n```js\nconst { username, city, name} = req.body;\nconst updateData = {\n    username,\n    city,\n    name,\n    id:userId\n  }; // Developer aims to only allow above three fields to be updated    \nconst result = await userRepo.save(updateData);\n```\n\nIntended Payload (non-malicious):\n\n\n`\nusername=myusername\u0026city=Riga\u0026name=Javad\n`\n\n_OR_\n\n`{username:\\\"myusername\\\",phone:12345,name:\\\"Javad\\\"}\n`\n\nSQL query produced:\n\n```sql\nUPDATE `user` \nSET `username` = \u0027myusername\u0027, \n    `city` = \u0027Riga\u0027, \n    `name` = \u0027Javad\u0027 \nWHERE `id` IN (1);\n\n```\n\nMalicious Payload:\n\n`username=myusername\u0026city[name]=Riga\u0026city[role]=admin\n`\n\n_OR_\n\n`{username:\\\"myusername\\\",city:{name:\\\"Javad\\\",role:\\\"admin\\\"}}\n`\n\nSQL query produced with Injected Column:\n\n```sql\nUPDATE `user` \nSET `username` = \u0027myusername\u0027, \n    `city` = `name` = \u0027Javad\u0027, \n    `role` = \u0027admin\u0027 \nWHERE `id` IN (1);\n\n```\n_Above query is valid as `city` = `name` = `Javad` is a boolean expression resulting in `city` = 1 (false). \u201crole\u201d column is injected and updated._\n\nUnderlying issue was due to TypeORM using mysql2 [without specifying a value for the stringifyObjects option](https://github.com/typeorm/typeorm/blob/0.3.25/src/driver/mysql/MysqlConnectionOptions.ts). In both mysql and mysql2 this [option defaults to false](https://github.com/sidorares/node-mysql2/blob/e359f454a76ba5dc31b91adf7bdb4099ca317bb5/lib/connection_config.js#L124). This option is then passed into [SQLString library as false](https://github.com/sidorares/node-mysql2/blob/e359f454a76ba5dc31b91adf7bdb4099ca317bb5/lib/base/connection.js#L524). This results in sqlstring [parsing objects in a strange way using objectToValues.](https://github.com/mysqljs/sqlstring/blob/cd528556b4b6bcf300c3db515026935dedf7cfa1/lib/SqlString.js#L54)",
  "id": "GHSA-q2pj-6v73-8rgj",
  "modified": "2025-10-31T17:38:00Z",
  "published": "2025-10-29T18:30:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-60542"
    },
    {
      "type": "WEB",
      "url": "https://github.com/typeorm/typeorm/pull/11574"
    },
    {
      "type": "WEB",
      "url": "https://github.com/typeorm/typeorm/commit/d57fe3bd8578b0b8f9847647fd046bccf825a7ef"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mysqljs/sqlstring/blob/cd528556b4b6bcf300c3db515026935dedf7cfa1/lib/SqlString.js#L54"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sidorares/node-mysql2/blob/e359f454a76ba5dc31b91adf7bdb4099ca317bb5/lib/base/connection.js#L524"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sidorares/node-mysql2/blob/e359f454a76ba5dc31b91adf7bdb4099ca317bb5/lib/connection_config.js#L124"
    },
    {
      "type": "WEB",
      "url": "https://github.com/typeorm/typeorm/blob/0.3.25/src/driver/mysql/MysqlConnectionOptions.ts"
    },
    {
      "type": "WEB",
      "url": "https://github.com/typeorm/typeorm/releases/tag/0.3.26"
    },
    {
      "type": "WEB",
      "url": "https://github.com/typeorm/typeorm/releases?q=security\u0026expanded=true"
    },
    {
      "type": "WEB",
      "url": "https://medium.com/@alizada.cavad/cve-2025-60542-typeorm-mysql-sqli-0-3-25-a1b32bc60453"
    },
    {
      "type": "PACKAGE",
      "url": "http://github.com/typeorm/typeorm"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:L/SC:L/SI:H/SA:L/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "TypeORM vulnerable to SQL injection via crafted request to repository.save or repository.update"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.