chore(deps): update dependency typeorm to v0.3.26 [security]#607
Open
renovate[bot] wants to merge 1 commit into
Open
chore(deps): update dependency typeorm to v0.3.26 [security]#607renovate[bot] wants to merge 1 commit into
renovate[bot] wants to merge 1 commit into
Conversation
814208b to
1c3e2d4
Compare
1c3e2d4 to
c888cc2
Compare
c888cc2 to
d5a5b3d
Compare
d5a5b3d to
f1f9ab5
Compare
18ac8be to
5b88e64
Compare
5b88e64 to
c46475d
Compare
c46475d to
248fccc
Compare
248fccc to
3341282
Compare
3341282 to
e6e3fd6
Compare
e6e3fd6 to
c2a4a4f
Compare
d24da55 to
860856b
Compare
860856b to
cc5267c
Compare
c49d60d to
e15d673
Compare
e15d673 to
b43c9fc
Compare
b43c9fc to
3f92033
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
0.3.20→0.3.26TypeORM vulnerable to SQL injection via crafted request to repository.save or repository.update
CVE-2025-60542 / GHSA-q2pj-6v73-8rgj
More information
Details
Summary
SQL Injection vulnerability in TypeORM before 0.3.26 via crafted request to repository.save or repository.update due to the sqlstring call using stringifyObjects default to false.
Details
Vulnerable Code:
Intended Payload (non-malicious):
username=myusername&city=Riga&name=JavadOR
{username:\"myusername\",phone:12345,name:\"Javad\"}SQL query produced:
Malicious Payload:
username=myusername&city[name]=Riga&city[role]=adminOR
{username:\"myusername\",city:{name:\"Javad\",role:\"admin\"}}SQL query produced with Injected Column:
Above query is valid as
city=name=Javadis a boolean expression resulting incity= 1 (false). “role” column is injected and updated.Underlying issue was due to TypeORM using mysql2 without specifying a value for the stringifyObjects option. In both mysql and mysql2 this option defaults to false. This option is then passed into SQLString library as false. This results in sqlstring parsing objects in a strange way using objectToValues.
Severity
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:L/SC:L/SI:H/SA:L/E:PReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
typeorm/typeorm (typeorm)
v0.3.26Compare Source
The list below is the set of commits between
0.3.30and1.0.0— fixes already shipped on the0.3.xline are listed under their respective0.3.xentries below.Bug Fixes
shortenmethod to properly work with camelCase_aliases (#11283) (8a9a376)timestamptzpersistence/hydration correctly (#11774) (c26fc33)queryBuilder.update(#11296) (7084240)Features
incrementanddecrementofEntityManager(#11294) (2260718)joinproperty (#12375) (f4f762e)ADD VALUEwhen changing enum values if possible (#10956) (f1be21e)INSERT INTO ... SELECT FROM ...in QueryBuilder (#11896) (8fc0915)Performance Improvements
BREAKING CHANGES
0.3.30 (2026-05-18)
Bug Fixes
Reverts
0.3.29 (2026-05-08)
Bug Fixes
QueryBuilderparameter of type JSDatenot escaped correctly (#11867) (5153436)Features
returningoption to update/upsert operations (#11782) (11d9767)0.3.28 (2025-12-02)
Bug Fixes
findBymethod to MongoEntityManager (#11814) (38715bb)Features
jsonpathcolumn type in PostgreSQL (#11684) (4f05718)0.3.27 (2025-09-19)
Bug Fixes
Features
VirtualColumns to be initially non-selectable (#11586) (22b26d1)Performance Improvements
Reverts
0.3.26 (2025-08-16)
Notes:
stringifyObjects: true, in order to avoid a potential security vulnerabilityin the mysql/mysql2 client libraries. You can revert to the old behavior by setting
connectionOptions.extra.stringifyObjects = false.@sap/hana-clientlibrary. The deprecatedhdb-poolis no longer necessary and can be removed. See https://typeorm.io/docs/drivers/sap/#data-source-options for the new pool options.
Bug Fixes
stringifyObjectsimplicitly (#11574) (d57fe3b)useIndexwhen cloning a QueryExpressionMap (or a QueryBuilder) (#10679) (66ee307), closes #10678 #10678Features
Performance Improvements
0.3.25 (2025-06-19)
Bug Fixes
Features
0.3.24 (2025-05-14)
Bug Fixes
Features
Performance Improvements
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.