TypeORM vulnerable to SQL injection via crafted request to repository.save or repository.update

Severity:: High

Description

SQL Injection vulnerability in TypeORM before 0.3.26 via crafted request to repository.save or repository.update due to the sqlstring call using stringifyObjects default to false.

Recommendation

Update the typeorm package to the latest compatible version. Followings are version details:

Affected version(s): < 0.3.26
Patched version(s): 0.3.26

References

GHSA-q2pj-6v73-8rgj
medium.com
CVE-2025-60542
CWE-89
CAPEC-310
OWASP 2021-A3
OWASP 2021-A6

Related Issues

Parse Server vulnerable to SQL Injection via dot-notation sub-key name in `Increment` operation on PostgreSQL - CVE-2026-31871
Cube Core is vulnerable to Denial of Service (DoS) via crafted request - CVE-2026-25957
Cube Core is vulnerable to privilege escalation via a specially crafted request - CVE-2026-25958
Lightning Flow Scanner Vulnerable to Code Injection via Unsafe Use of `new Function()` in APIVersion Rule - CVE-2025-67750

Tags:: npm; typeorm

Anything's wrong? Let us know Last updated on October 31, 2025