CVE-2025-60542
TypeORM vulnerable to SQL injection via crafted request to repository.save or repository.update
Description
### Summary SQL Injection vulnerability in TypeORM before 0.3.26 via crafted request to repository.save or repository.update due to the sqlstring call using stringifyObjects default to false. ### Details Vulnerable Code: ```js const { username, city, name} = req.body; const updateData = { username, city, name, id:userId }; // Developer aims to only allow above three fields to be updated const result = await userRepo.save(updateData); ``` Intended Payload (non-malicious): ` username=myusername&city=Riga&name=Javad ` _OR_ `{username:\"myusername\",phone:12345,name:\"Javad\"} ` SQL query produced: ```sql UPDATE `user` SET `username` = 'myusername', `city` = 'Riga', `name` = 'Javad' WHERE `id` IN (1); ``` Malicious Payload: `username=myusername&city[name]=Riga&city[role]=admin ` _OR_ `{username:\"myusername\",city:{name:\"Javad\",role:\"admin\"}} ` SQL query produced with Injected Column: ```sql UPDATE `user` SET `username` = 'myusername', `city` = `name` = 'Javad', `role` = 'admin' WHERE `id` IN (1); ``` _Above query is valid as `city` = `name` = `Javad` is a boolean expression resulting in `city` = 1 (false). “role” column is injected and updated._ Underlying issue was due to TypeORM using mysql2 [without specifying a value for the stringifyObjects option](https://github.com/typeorm/typeorm/blob/0.3.25/src/driver/mysql/MysqlConnectionOptions.ts). In both mysql and mysql2 this [option defaults to false](https://github.com/sidorares/node-mysql2/blob/e359f454a76ba5dc31b91adf7bdb4099ca317bb5/lib/connection_config.js#L124). This option is then passed into [SQLString library as false](https://github.com/sidorares/node-mysql2/blob/e359f454a76ba5dc31b91adf7bdb4099ca317bb5/lib/base/connection.js#L524). This results in sqlstring [parsing objects in a strange way using objectToValues.](https://github.com/mysqljs/sqlstring/blob/cd528556b4b6bcf300c3db515026935dedf7cfa1/lib/SqlString.js#L54)
How to fix CVE-2025-60542
To remediate CVE-2025-60542, upgrade the affected package to a fixed version below.
- —upgrade to 0.3.26 or later
Is CVE-2025-60542 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.