Medium severity6.5OSV Advisory· Published Oct 29, 2025· Updated Apr 15, 2026
CVE-2025-60542
CVE-2025-60542
Description
SQL Injection vulnerability in TypeORM before 0.3.26 via crafted request to repository.save or repository.update due to the sqlstring call using stringifyObjects default to false.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
typeormnpm | < 0.3.26 | 0.3.26 |
Affected products
4- osv-coords3 versions
< 2.70.1-r3+ 2 more
- (no CPE)range: < 2.70.1-r3
- (no CPE)range: < 2.70.1-r3
- (no CPE)range: < 0.3.26
Patches
Vulnerability mechanics
References
10- github.com/advisories/GHSA-q2pj-6v73-8rgjghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-60542ghsaADVISORY
- github.com/mysqljs/sqlstring/blob/cd528556b4b6bcf300c3db515026935dedf7cfa1/lib/SqlString.jsghsaWEB
- github.com/sidorares/node-mysql2/blob/e359f454a76ba5dc31b91adf7bdb4099ca317bb5/lib/base/connection.jsghsaWEB
- github.com/sidorares/node-mysql2/blob/e359f454a76ba5dc31b91adf7bdb4099ca317bb5/lib/connection_config.jsghsaWEB
- github.com/typeorm/typeorm/blob/0.3.25/src/driver/mysql/MysqlConnectionOptions.tsghsaWEB
- github.com/typeorm/typeorm/commit/d57fe3bd8578b0b8f9847647fd046bccf825a7efghsaWEB
- github.com/typeorm/typeorm/pull/11574nvdWEB
- github.com/typeorm/typeorm/releases/tag/0.3.26nvdWEB
- medium.com/@alizada.cavad/cve-2025-60542-typeorm-mysql-sqli-0-3-25-a1b32bc60453nvdWEB
News mentions
0No linked articles in our index yet.