CNNVD-202510-3987 Information
CNNVD ID
CNNVD-202510-3987
Related CVE
- CNNVD Published: 2025-10-29
Description (Chinese)
TypeORM是TypeORM开源的一个优秀的 Node.js ORM 框架。该软件的目标是保持支持最新的 Javascript 特性;拥有以下功能:(1)提供表的一对一,多对一,一对多,多对多关系处理;(2)来帮助开发各种用户数据库的应用 - 不管是轻应用还是企业级的。可以实现(3)根据模型自动创建数据库表;(4)可以透明的插入/更新/删除数据库对象;(5)映射数据库 table 到 Javascript 对象,映射表列到 Javascript 对象属性。 TypeORM 0.3.26之前版本存在安全漏洞,该漏洞源于sqlstring调用stringifyObjects默认设置为false,可能导致SQL注入攻击。
Description (English)
TypeORM is an excellent Node.js ORM framework for TypeORM open source. The objective of the software is to maintain up-to-date Javascript features; it has the following functions: (1) to provide one-on-one, one-on-one, one-on-one, multiple-relationship processing; and (2) to assist in the development of various user database applications, whether light or enterprise-level. You can achieve (3) automatic creation of database tables based on models; (4) transparent insertion/updating/deleting of database objects; and (5) mapping of databases table to Javascript objects, mapping the list to Javascript object properties. There was a security loophole in the pre-TypeORM 0.3.26 version, which originated from Sqlstring ’ s call to false, which could lead to an injection of SQL.
Hazard Level
High
Vulnerability Type
其他
Affected Vendor
TypeORM
Published
2025-10-29
Last Modified
2026-02-24
References
https://github.com/typeorm/typeorm/pull/11574 https://github.com/typeorm/typeorm/releases/tag/0.3.26 https://github.com/typeorm/typeorm/releases?q=security&expanded=true https://medium.com/@alizada.cavad/cve-2025-60542-typeorm-mysql-sqli-0-3-25-a1b32bc60453 https://access.redhat.com/security/cve/cve-2025-60542
Patch
https://github.com/typeorm/typeorm/releases
Share on: