Description
Versions of typeorm before 0.1.15 are vulnerable to SQL Injection. Field names are not properly validated allowing attackers to inject SQL statements and execute arbitrary SQL queries.
Recommendation
Update the typeorm package to the latest compatible version. Followings are version details:
- Affected version(s): < 0.1.15
- Patched version(s): 0.1.15
References
Related Issues
- TypeORM vulnerable to SQL injection via crafted request to repository.save or repository.update - CVE-2025-60542
- Payload does not invalidate JWTs after log out - CVE-2025-4643
- Parse Server has an OAuth login vulnerability - CVE-2025-30168
- Use of Insufficiently Random Values in undici - CVE-2025-22150
- Tags:
- npm
- typeorm
Anything's wrong? Let us know Last updated on January 09, 2023