DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-9GGV-8W38-R7PM: GHSA-9GGV-8W38-R7PM: SQL Injection in TypeORM UpdateQueryBuilder and SoftDeleteQueryBuilder

#security #cve #cybersecurity #ghsa

GHSA-9GGV-8W38-R7PM: SQL Injection in TypeORM UpdateQueryBuilder and SoftDeleteQueryBuilder

Vulnerability ID: GHSA-9GGV-8W38-R7PM
CVSS Score: 8.1
Published: 2026-06-19

A critical SQL injection vulnerability was discovered in TypeORM's UpdateQueryBuilder and SoftDeleteQueryBuilder when targeting MySQL and MariaDB backends. The flaw allows unauthenticated remote attackers to execute arbitrary SQL commands because input validation was bypassed on certain method signatures. The initial patch was incomplete, leaving a bypass open, which was resolved in the final security update.

TL;DR

TypeORM's UpdateQueryBuilder and SoftDeleteQueryBuilder allowed SQL injection via the orderBy direction parameter when targeting MySQL or MariaDB. An initial fix was bypassed via string-based API signatures, but the vulnerability is fully mitigated in the latest releases.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-89
  • Attack Vector: Network
  • CVSS v3.1 Score: 8.1 (High)
  • Affected Dialects: MySQL, MariaDB
  • Vulnerability Class: SQL Injection
  • Exploit Status: Proof-of-Concept Available
  • Patch Status: Fully Patched (Commit 1b66c44)

Affected Systems

  • Applications using TypeORM with MySQL database engines
  • Applications using TypeORM with MariaDB database engines
  • typeorm: < 0.3.20 (Fixed in: 0.3.20)

Code Analysis

Commit: 93eec63

Initial centralized validation logic and partial query builder check in PR 12217

Commit: 1b66c44

Definitive SQL injection fix in orderBy validation for UpdateQueryBuilder and SoftDeleteQueryBuilder

Exploit Details

  • GitHub Advisories: Proof of concept details and testing validation schema verifying SQL injection strings on unpatched builders.

Mitigation Strategies

  • Upgrade TypeORM to the latest stable version containing the commit 1b66c44d0410bdc56a0dcefb46be41867ec0fffc.
  • Apply strict allowlist input validation for sorting direction arguments on all incoming HTTP requests.
  • Restrict database connection privileges to enforce the Principle of Least Privilege (PoLP).

Remediation Steps:

  1. Execute npm install typeorm@latest or yarn add typeorm@latest to obtain the fully patched build.
  2. Review historical occurrences of .orderBy() and .addOrderBy() within write-based query builders (Update/SoftDelete).
  3. Modify route handlers to map user input directions explicitly: const direction = req.query.dir === 'DESC' ? 'DESC' : 'ASC';.

References

Read the full report for GHSA-9GGV-8W38-R7PM on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)