SQL Injection Affecting typeorm package, versions <0.3.26
Threat Intelligence
Snyk has a proof-of-concept or detailed explanation of how to exploit this vulnerability.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-JS-TYPEORM-13746469
- published29 Oct 2025
- disclosed29 Oct 2025
- creditRashad Aliyev, Kamran Asgarov
Introduced: 29 Oct 2025
NewCVE-2025-60542 (opens in a new tab)How to fix?
Upgrade typeorm to version 0.3.26 or higher.
Overview
typeorm is an ORM that can run in NodeJS, Browser, Cordova, PhoneGap, Ionic, React Native, NativeScript, Expo, and Electron platforms and can be used with TypeScript and JavaScript (ES5, ES6, ES7, ES8).
Affected versions of this package are vulnerable to SQL Injection via the repository.save or repository.update features when processing crafted input, due to improper handling in the sqlstring call with stringifyObjects set to false. An attacker can execute arbitrary SQL commands to bypass field-level update restrictions for columns such as user roles, by supplying specially crafted nested JSON.