npm package
typeorm
pkg:npm/typeorm
Vulnerabilities (3)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-60542 | Med | 6.5 | < 0.3.26 | 0.3.26 | Oct 29, 2025 | SQL Injection vulnerability in TypeORM before 0.3.26 via crafted request to repository.save or repository.update due to the sqlstring call using stringifyObjects default to false. | |
| CVE-2022-33171 | — | < 0.3.0 | 0.3.0 | Jul 4, 2022 | The findOne function in TypeORM before 0.3.0 can either be supplied with a string or a FindOneOptions object. When input to the function is a user-controlled parsed JSON object, supplying a crafted FindOneOptions instead of an id string leads to SQL injection. NOTE: the vendor's | ||
| CVE-2020-8158 | — | < 0.2.25 | 0.2.25 | Sep 18, 2020 | Prototype pollution vulnerability in the TypeORM package < 0.2.25 may allow attackers to add or modify Object properties leading to further denial of service or SQL injection attacks. |
- affected < 0.3.26fixed 0.3.26
SQL Injection vulnerability in TypeORM before 0.3.26 via crafted request to repository.save or repository.update due to the sqlstring call using stringifyObjects default to false.
- CVE-2022-33171Jul 4, 2022affected < 0.3.0fixed 0.3.0
The findOne function in TypeORM before 0.3.0 can either be supplied with a string or a FindOneOptions object. When input to the function is a user-controlled parsed JSON object, supplying a crafted FindOneOptions instead of an id string leads to SQL injection. NOTE: the vendor's
- CVE-2020-8158Sep 18, 2020affected < 0.2.25fixed 0.2.25
Prototype pollution vulnerability in the TypeORM package < 0.2.25 may allow attackers to add or modify Object properties leading to further denial of service or SQL injection attacks.