CVE-2025-60542: 
JavaScript vulnerability analysis and mitigation

SQL Injection vulnerability discovered in TypeORM versions before 0.3.26 affecting applications using MySQL/mysql2 driver. The vulnerability (CVE-2025-60542) exists due to the sqlstring call using stringifyObjects default to false, which allows attackers to manipulate SQL queries through crafted requests to repository.save or repository.update methods (Medium Blog, NVD).

The vulnerability stems from TypeORM's reliance on the mysql2 driver without setting stringifyObjects: true. When developers use repository.save or repository.update methods, nested JSON inputs could be injected into SQL queries. The CVSS v3.1 base score is 6.5 (MEDIUM) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N. The vulnerability is classified as CWE-89: Improper Neutralization of Special Elements used in an SQL Command (NVD).

The vulnerability allows attackers to bypass field-level update restrictions and modify arbitrary columns, including sensitive fields such as user roles. This could potentially lead to privilege escalation depending on the application context. The attack works by manipulating nested JSON objects in requests, which can result in unexpected SQL query modifications (Medium Blog).

The vulnerability has been fixed in TypeORM version 0.3.26 by setting stringifyObjects to true by default. Users should upgrade immediately to version 0.3.26 or later. Alternative mitigations include avoiding passing nested JSON objects directly into repository.save/update methods, flattening and validating input data before persistence, and enforcing input validation and whitelisting at the application level (TypeORM Release, Medium Blog).

The vulnerability was discovered during a client engagement by security researcher Javad Alizada, with assistance from Rashad Aliyev and Kamran Asgarov. The TypeORM team responded promptly by releasing version 0.3.26 with the fix, and the community has shown active engagement in updating to the patched version (Medium Blog).