TypeORM vulnerable to SQL injection via crafted request to repository.save or repository.update

Severity:: High

Description

SQL Injection vulnerability in TypeORM before 0.3.26 via crafted request to repository.save or repository.update due to the sqlstring call using stringifyObjects default to false.

Recommendation

Update the typeorm package to the latest compatible version. Followings are version details:

Affected version(s): < 0.3.26
Patched version(s): 0.3.26

References

GHSA-q2pj-6v73-8rgj
medium.com
CVE-2025-60542
CWE-89
CAPEC-310
OWASP 2021-A3
OWASP 2021-A6

Related Issues

Parse Server vulnerable to SQL injection via `Increment` operation on nested object field in PostgreSQL - CVE-2026-31856
Parse Server vulnerable to SQL Injection via dot-notation sub-key name in `Increment` operation on PostgreSQL - CVE-2026-31871
Signal K Server Vulnerable to Denial of Service via Unrestricted Access Request Flooding - CVE-2025-68272
Parse Server Vulnerable to Server-Side Request Forgery (SSRF) in File Upload via URI Format - CVE-2025-64430

44 New SQL Injection Tests for WordPress in SmartScanner 1.8

Update Cheat Sheet for Developers

How do hackers hack websites?

Tags:: npm; typeorm

Anything's wrong? Let us know Last updated on October 31, 2025