TypeORM vulnerable to SQL injection via crafted request to repository.save or repository.update
- Severity:
- High
Description
SQL Injection vulnerability in TypeORM before 0.3.26 via crafted request to repository.save or repository.update due to the sqlstring call using stringifyObjects default to false.
Recommendation
Update the typeorm package to the latest compatible version. Followings are version details:
- Affected version(s): < 0.3.26
- Patched version(s): 0.3.26
References
Related Issues
- Lobe Chat affected by Cross-Site Scripting(XSS) that can escalate to Remote Code Execution(RCE) - CVE-2026-23733
- Websites were able to send any requests to the development server and read the response in vite - CVE-2025-24010
- Parsed HTML anchor links in Markdown provided to parseMarkdown can result in XSS in @nuxtjs/mdc - CVE-2025-24981
- Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code - CVE-2023-45133
- Tags:
- npm
- typeorm
Anything's wrong? Let us know Last updated on October 31, 2025