CVE-2025-32020: 
JavaScript vulnerability analysis and mitigation

The crud-query-parser library, which parses query parameters from HTTP requests and converts them to database queries, contains a critical SQL injection vulnerability (CVE-2025-32020) discovered in April 2025. The vulnerability affects versions 0.0.1, 0.0.2, and 0.0.3, specifically in the TypeORM adapter's handling of the order/sort parameter (GitHub Advisory).

The vulnerability stems from improper neutralization of special elements in SQL commands within the TypeORM adapter. The issue specifically occurs when ordering is enabled and no property filter is set up. The vulnerability has been assigned a CVSS 4.0 base score of 9.3 (Critical) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N, indicating network accessibility, low attack complexity, and no required privileges or user interaction (GitHub Advisory).

The vulnerability allows attackers to perform SQL injection attacks through the order/sort parameter, potentially leading to unauthorized access to or modification of database contents. The CVSS scoring indicates high impacts on both confidentiality and integrity of the vulnerable system (GitHub Advisory).

The vulnerability has been patched in version 0.1.0, which introduces TypeORM field validation enabled by default. For users unable to upgrade immediately, two workarounds are available: 1) Add an allowlist of fields using the filterProperties function to filter out invalid fields before passing the crudRequest to the TypeOrmQueryAdapter, or 2) Disable ordering by cleaning up the order field just before passing it to the TypeOrmQueryAdapter (GitHub Advisory).