CVE-2025-60542
SQL Injection vulnerability in typeorm (npm)
What is CVE-2025-60542 About?
This SQL Injection vulnerability exists in TypeORM versions before 0.3.26, specifically when using `repository.save` or `repository.update`. It allows remote attackers to inject arbitrary SQL columns into update statements via crafted requests. Exploitation is readily achievable by sending a malformed object in the request body.
Affected Software
Technical Details
The SQL Injection vulnerability in TypeORM arises because of the default behavior of the sqlstring library when stringifyObjects is set to false. This is the default setting for mysql and mysql2 drivers used by TypeORM. When an object is passed to repository.save or repository.update (e.g., updateData), and that object contains nested objects (e.g., city:{name:"Javad",role:"admin"}), the sqlstring library's objectToValues function parses it in an unintended way. Instead of treating city as a single value, it can interpret city[name] and city[role] as separate column assignments, leading to the injection of new columns into the UPDATE query. For example, city[name]=Riga&city[role]=admin in a payload could result in an SQL query like UPDATE user SET username = 'myusername', city = name = 'Javad', role = 'admin' ... where 'role' becomes an injected and updated column.
What is the Impact of CVE-2025-60542?
Successful exploitation may allow attackers to modify, read, or delete sensitive data in the database, bypass authentication, and potentially achieve remote code execution.
What is the Exploitability of CVE-2025-60542?
Exploiting this SQL Injection vulnerability is relatively straightforward and requires low to medium complexity. An attacker needs to send HTTP requests with a specially crafted JSON or URL-encoded payload to an endpoint that utilizes repository.save or repository.update in TypeORM. Authentication might be required to access the vulnerable endpoint, depending on the application's design, but the vulnerability itself does not depend on elevated privileges. The attack is typically remote, as it involves sending network requests. No special conditions beyond a vulnerable TypeORM version and an application using the affected repository methods are necessary. The risk of exploitation is significantly increased if the application directly uses user-supplied input in database operations without proper validation or sanitation, especially when dealing with nested object structures.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2025-60542?
About the Fix from Resolved Security
Available Upgrade Options
- typeorm
- <0.3.26 → Upgrade to 0.3.26
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/typeorm/typeorm/releases?q=security&expanded=true
- https://github.com/typeorm/typeorm/releases?q=security&expanded=true
- http://github.com/typeorm/typeorm
- https://medium.com/@alizada.cavad/cve-2025-60542-typeorm-mysql-sqli-0-3-25-a1b32bc60453
- https://medium.com/@alizada.cavad/cve-2025-60542-typeorm-mysql-sqli-0-3-25-a1b32bc60453
- https://github.com/typeorm/typeorm/blob/0.3.25/src/driver/mysql/MysqlConnectionOptions.ts
- https://nvd.nist.gov/vuln/detail/CVE-2025-60542
- https://github.com/sidorares/node-mysql2/blob/e359f454a76ba5dc31b91adf7bdb4099ca317bb5/lib/connection_config.js#L124
- https://github.com/typeorm/typeorm/pull/11574
- https://github.com/sidorares/node-mysql2/blob/e359f454a76ba5dc31b91adf7bdb4099ca317bb5/lib/base/connection.js#L524
What are Similar Vulnerabilities to CVE-2025-60542?
Similar Vulnerabilities: CVE-2023-38546 , CVE-2022-21695 , CVE-2021-24754 , CVE-2020-14179 , CVE-2019-11043
