VDB
CVE-2025-60542
CVE-2025-60542
PUBLISHED
CVSS 6.5 MEDIUM
SQL Injection vulnerability in TypeORM before 0.3.26 via crafted request to repository.save or repository.update due to the sqlstring call using stringifyObjects default to false.
EPSS 0.04% · 13.2th percentile
Risk Scores
CVSS 3.1
6.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
EPSS Score
0.04%
13.2th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| n/a | n/a | n/a |
| npm | typeorm | 0 |
Exploit Intelligence
Timeline
- Oct 29, 2025 CVE Published
- Oct 29, 2025 Coalition ESS Score
- Oct 30, 2025 EPSS Score
- Oct 30, 2025 Coalition ESS Score
- Oct 31, 2025 CVE Updated
- Oct 31, 2025 Coalition ESS Score
- Nov 2, 2025 Coalition ESS Score
- Nov 3, 2025 Coalition ESS Score
- Nov 4, 2025 Coalition ESS Score
- Nov 5, 2025 EPSS Score
- Nov 5, 2025 Coalition ESS Score
- Nov 10, 2025 EPSS Score
References
- https://github.com/typeorm/typeorm/releases?q=security&expanded=true url
- https://github.com/typeorm/typeorm/pull/11574 url
- https://github.com/typeorm/typeorm/releases/tag/0.3.26 url
- https://medium.com/@alizada.cavad/cve-2025-60542-typeorm-mysql-sqli-0-3-25-a1b32bc60453 url
- https://nvd.nist.gov/vuln/detail/CVE-2025-60542 advisory
- https://github.com/typeorm/typeorm/commit/d57fe3bd8578b0b8f9847647fd046bccf825a7ef url
- https://github.com/mysqljs/sqlstring/blob/cd528556b4b6bcf300c3db515026935dedf7cfa1/lib/SqlString.js#L54 url
- https://github.com/sidorares/node-mysql2/blob/e359f454a76ba5dc31b91adf7bdb4099ca317bb5/lib/base/connection.js#L524 url
- https://github.com/sidorares/node-mysql2/blob/e359f454a76ba5dc31b91adf7bdb4099ca317bb5/lib/connection_config.js#L124 url
- https://github.com/typeorm/typeorm/blob/0.3.25/src/driver/mysql/MysqlConnectionOptions.ts url
- http://github.com/typeorm/typeorm package