TypeORM vulnerable to SQL injection via crafted request to repository.save or repository.update

Severity:: High

Description

SQL Injection vulnerability in TypeORM before 0.3.26 via crafted request to repository.save or repository.update due to the sqlstring call using stringifyObjects default to false.

Recommendation

Update the typeorm package to the latest compatible version. Followings are version details:

Affected version(s): < 0.3.26
Patched version(s): 0.3.26

References

GHSA-q2pj-6v73-8rgj
medium.com
CVE-2025-60542
CWE-89
CAPEC-310
OWASP 2021-A3
OWASP 2021-A6

Related Issues

Websites were able to send any requests to the development server and read the response in vite - CVE-2025-24010
Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code - CVE-2023-45133
SQL injection in typeORM - CVE-2022-33171
Parsed HTML anchor links in Markdown provided to parseMarkdown can result in XSS in @nuxtjs/mdc - CVE-2025-24981

Tags:: npm; typeorm

Anything's wrong? Let us know Last updated on October 31, 2025