GHSA-9R25-RP3P-H2W4
Vulnerability from github – Published: 2025-04-09 12:57 – Updated: 2025-04-09 12:57
VLAI?
Summary
crud-query-parser SQL Injection vulnerability
Details
Impact
Improper neutralization of the order/sort parameter in the TypeORM adapter, which allows SQL injection.
You are impacted by this vulnerability if you are using the TypeORM adapter, ordering is enabled and you have not set-up a property filter.
Versions 0.0.1, 0.0.2 and 0.0.3 are affected by this vulnerability.
Patches
This vulnerability has been fixed in version 0.1.0 and newer, which introduces TypeORM field validation (enabled by default).
Workarounds
Add an allowlist of fields
List all valid fields and use the filterProperties function to filter out invalid fields before passing the crudRequest to the TypeOrmQueryAdapter. Here's an example:
crudRequest = filterProperties(crudRequest, ['id', 'title', 'category.name']);
Disable ordering
Cleanup the order field just before passing it to the TypeOrmQueryAdapter. Here's an example:
crudRequest.order = [];
Severity ?
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "crud-query-parser"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.1.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-32020"
],
"database_specific": {
"cwe_ids": [
"CWE-89"
],
"github_reviewed": true,
"github_reviewed_at": "2025-04-09T12:57:13Z",
"nvd_published_at": "2025-04-08T15:15:50Z",
"severity": "HIGH"
},
"details": "### Impact\n\nImproper neutralization of the `order`/`sort` parameter in the TypeORM adapter, which allows SQL injection.\n\nYou are impacted by this vulnerability if you are using the TypeORM adapter, ordering is enabled and you have not set-up a property filter.\n\nVersions 0.0.1, 0.0.2 and 0.0.3 are affected by this vulnerability.\n\n### Patches\n\nThis vulnerability has been fixed in version 0.1.0 and newer, which introduces TypeORM field validation (enabled by default).\n\n### Workarounds\n\n#### Add an allowlist of fields\nList all valid fields and use the `filterProperties` function to filter out invalid fields before passing the crudRequest to the `TypeOrmQueryAdapter`. Here\u0027s an example:\n```ts\ncrudRequest = filterProperties(crudRequest, [\u0027id\u0027, \u0027title\u0027, \u0027category.name\u0027]);\n```\n\n#### Disable ordering\nCleanup the `order` field just before passing it to the `TypeOrmQueryAdapter`. Here\u0027s an example:\n```ts\ncrudRequest.order = [];\n```",
"id": "GHSA-9r25-rp3p-h2w4",
"modified": "2025-04-09T12:57:13Z",
"published": "2025-04-09T12:57:13Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/Guichaguri/crud-query-parser/security/advisories/GHSA-9r25-rp3p-h2w4"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32020"
},
{
"type": "PACKAGE",
"url": "https://github.com/Guichaguri/crud-query-parser"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "crud-query-parser SQL Injection vulnerability"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…