SQL Injection Affecting typeorm package, versions >=0.1.12 <0.3.29
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-JS-TYPEORM-17391479
- published21 Jun 2026
- disclosed19 Jun 2026
- creditUnknown
Introduced: 19 Jun 2026
New CVE NOT AVAILABLE CWE-89 (opens in a new tab)How to fix?
Upgrade typeorm to version 0.3.29 or higher.
Overview
typeorm is an ORM that can run in NodeJS, Browser, Cordova, PhoneGap, Ionic, React Native, NativeScript, Expo, and Electron platforms and can be used with TypeScript and JavaScript (ES5, ES6, ES7, ES8).
Affected versions of this package are vulnerable to SQL Injection in the orderBy or addOrderBy methods of update or soft-delete query builders when user-controlled input is not validated and is concatenated directly into SQL statements. An attacker can access sensitive data, manipulate targeted rows, or cause denial of service by injecting arbitrary SQL through the sort direction parameter.