SQL Injection

TypeORM is vulnerable to SQL Injection. The vulnerability is due to improper handling of object values in the sqlstring call where stringifyObjects defaults to false, which allows an attacker to inject crafted SQL through requests to repository.save or repository.update...

CVE-2025-60542

A flaw was found in TypeORM. When used with MySQL/mysql2 drivers, the repository.save or repository.update methods incorrectly handle nested JSON objects. This is due to an underlying setting stringifyObjects: false that allows an attacker to craft a malicious JSON payload and cause a SQL injecti...

TypeORM vulnerable to SQL injection via crafted request to repository.save or repository.update

Summary SQL Injection vulnerability in TypeORM before 0.3.26 via crafted request to repository.save or repository.update due to the sqlstring call using stringifyObjects default to false. Details Vulnerable Code: js const username, city, name = req.body; const updateData = username, city, name,...

EUVD-2025-36689

SQL Injection vulnerability in TypeORM before 0.3.26 via crafted request to repository.save or repository.update due to the sqlstring call using stringifyObjects default to false...

GHSA-Q2PJ-6V73-8RGJ TypeORM vulnerable to SQL injection via crafted request to repository.save or repository.update

Summary SQL Injection vulnerability in TypeORM before 0.3.26 via crafted request to repository.save or repository.update due to the sqlstring call using stringifyObjects default to false. Details Vulnerable Code: js const username, city, name = req.body; const updateData = username, city, name,...

CVE-2025-60542

SQL Injection vulnerability in TypeORM before 0.3.26 via crafted request to repository.save or repository.update due to the sqlstring call using stringifyObjects default to false...

CVE-2025-60542

CVE-2025-60542 (TypeORM) : SQL injection in TypeORM before 0.3.26 via crafted requests to repository.save or repository.update, resulting from sqlstring handling where stringifyObjects defaults to false. Public references indicate the issue arises in the MySQL driver path and can affect updates u...

CVE-2025-60542

SQL Injection vulnerability in TypeORM before 0.3.26 via crafted request to repository.save or repository.update due to the sqlstring call using stringifyObjects default to false...

PT-2025-44304

Name of the Vulnerable Software and Affected Versions TypeORM versions prior to 0.3.26 Description A SQL Injection issue exists in TypeORM. This is due to the sqlstring call using stringifyObjects set to false when processing requests to repository.save or repository.update. A crafted request can...

CVE-2025-60542

SQL Injection vulnerability in TypeORM before 0.3.26 via crafted request to repository.save or repository.update due to the sqlstring call using stringifyObjects default to false...