Update dependency typeorm to v0.3.26 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
typeorm (source)	0.3.20 → 0.3.26

---

TypeORM vulnerable to SQL injection via crafted request to repository.save or repository.update

CVE-2025-60542 / GHSA-q2pj-6v73-8rgj

More information

Details

Summary

SQL Injection vulnerability in TypeORM before 0.3.26 via crafted request to repository.save or repository.update due to the sqlstring call using stringifyObjects default to false.

Details

Vulnerable Code:

const { username, city, name} = req.body;
const updateData = {
    username,
    city,
    name,
    id:userId
  }; // Developer aims to only allow above three fields to be updated    
const result = await userRepo.save(updateData);

Intended Payload (non-malicious):

username=myusername&city=Riga&name=Javad

OR

{username:\"myusername\",phone:12345,name:\"Javad\"}

SQL query produced:

UPDATE `user` 
SET `username` = 'myusername', 
    `city` = 'Riga', 
    `name` = 'Javad' 
WHERE `id` IN (1);

Malicious Payload:

username=myusername&city[name]=Riga&city[role]=admin

OR

{username:\"myusername\",city:{name:\"Javad\",role:\"admin\"}}

SQL query produced with Injected Column:

UPDATE `user` 
SET `username` = 'myusername', 
    `city` = `name` = 'Javad', 
    `role` = 'admin' 
WHERE `id` IN (1);

Above query is valid as city = name = Javad is a boolean expression resulting in city = 1 (false). “role” column is injected and updated.

Underlying issue was due to TypeORM using mysql2 without specifying a value for the stringifyObjects option. In both mysql and mysql2 this option defaults to false. This option is then passed into SQLString library as false. This results in sqlstring parsing objects in a strange way using objectToValues.

Severity

• CVSS Score: 8.9 / 10 (High)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:L/SC:L/SI:H/SA:L/E:P

References

• https://nvd.nist.gov/vuln/detail/CVE-2025-60542
• https://github.com/typeorm/typeorm/pull/11574
• https://github.com/typeorm/typeorm/releases/tag/0.3.26
• https://github.com/typeorm/typeorm/releases?q=security&expanded=true
• https://medium.com/@​alizada.cavad/cve-2025-60542-typeorm-mysql-sqli-0-3-25-a1b32bc60453
• https://github.com/typeorm/typeorm/commit/d57fe3bd8578b0b8f9847647fd046bccf825a7ef
• https://github.com/mysqljs/sqlstring/blob/cd528556b4b6bcf300c3db515026935dedf7cfa1/lib/SqlString.js#L54
• https://github.com/sidorares/node-mysql2/blob/e359f454a76ba5dc31b91adf7bdb4099ca317bb5/lib/base/connection.js#L524
• https://github.com/sidorares/node-mysql2/blob/e359f454a76ba5dc31b91adf7bdb4099ca317bb5/lib/connection_config.js#L124
• https://github.com/typeorm/typeorm/blob/0.3.25/src/driver/mysql/MysqlConnectionOptions.ts
• https://github.com/advisories/GHSA-q2pj-6v73-8rgj

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

typeorm/typeorm (typeorm)

v0.3.26

Compare Source

Notes:

• When using MySQL, TypeORM now connects using stringifyObjects: true, in order to avoid a potential security vulnerability
  in the mysql/mysql2 client libraries. You can revert to the old behavior by setting connectionOptions.extra.stringifyObjects = false.
• When using SAP HANA, TypeORM now uses the built-in pool from the @sap/hana-client library. The deprecated hdb-pool
  is no longer necessary and can be removed. See https://typeorm.io/docs/drivers/sap/#data-source-options for the new pool options.

Bug Fixes

• add stricter type-checking and improve event loop handling (#​11540) (01dddfe)
• do not create junction table metadata when it already exists (#​11114) (3c26cf1)
• mysql: set stringifyObjects implicitly (#​11574) (d57fe3b)
• mysql: support Alibaba AnalyticDB returning version() column name in getVersion() (#​11555) (1737e97)
• oracle: pass duplicated parameters correctly to the client when executing a query (#​11537) (f2d2236)
• platform[web worker]: improve globalThis variable retrieval for browser environment (#​11495) (ec26eae)
• preserve useIndex when cloning a QueryExpressionMap (or a QueryBuilder) (#​10679) (66ee307), closes #​10678 #​10678
• regtype is not supported in aurora serverless v2 (#​11568) (6e9f20d)
• resolve array modification bug in QueryRunner drop methods (#​11564) (f351757), closes #​11563
• support for better-sqlite3 v12 (#​11557) (1ea3a5e)

Features

• add Redis 5.x support with backward compatibility with peer dependency to allow (#​11585) (17cf837), closes #​11528
• sap: add support for REAL_VECTOR and HALF_VECTOR data types in SAP HANA Cloud (#​11526) (abf8863)
• sap: use the native driver for connection pooling (#​11520) (aebc7eb)
• support virtual columns in entity schema (#​11597) (d1e3950)

Performance Improvements

• avoid unnecessary count on getManyAndCount (#​11524) (5904ac3)

v0.3.25

Compare Source

Bug Fixes

• add collation update detection in PostgresDriver (#​11441) (24c3e38), closes #​8647 #​8647
• fix null pointer exception on date array column comparison (#​11532) (42e7cbe)
• handle limit(0) and offset(0) correctly in SelectQueryBuilder (#​11507) (413f0a6)
• improve async calls on disconnect (#​11523) (ead4f98)
• multiple relations with same column name(s) generate invalid SELECT statement (#​11400) (63a3b9a), closes #​1668 #​9788 #​9814 #​10121 #​10148 #​11109 #​11132 #​11180
• postgres: resolve alias or table name in upsert/insert or update conditionally (#​11452) (2bfa300), closes #​11082 #​11440
• tree-entity: closure junction table primary key definition should match parent table (#​11422) (ce23d46)
• docs: fix up doc search workflow (#​11513) (930eefd)

Features

• add upsert support for Oracle, SQLServer and SAP HANA (#​10974) (a9c16ee)
• spanner: use credentials from connection options (#​11492) (07d7913), closes #​11442
• docs: add typesense/docsearch-scraper (#​11424) (65d5a00)
• docs: add Plausible analytics script to Docusaurus config (#​11517) (86f12c9)

v0.3.24

Compare Source

Bug Fixes

• capacitor use query to run PRAGMA statements (#​11467) (d325d9e)
• ci: resolve pkg.pr.new publish failure (2168441)
• mssql: avoid mutating input parameter array values (#​11476) (b8dbca5)

Features

• add tagged template for executing raw SQL queries (#​11432) (c464ff8)
• add updateAll and deleteAll methods to EntityManager and Repository APIs (#​11459) (23bb1ee)
• spanner: support insert returning (#​11460) (144634d), closes #​11453

Performance Improvements

• improve save performance during entities update (15de733)

v0.3.23

Compare Source

⚠️ Note on a breaking change

This release includes a technically breaking change (from this PR) in the behaviour of the delete and update methods of the EntityManager and Repository APIs, when an empty object is supplied as the criteria:

await repository.delete({})
await repository.update({}, { foo: 'bar' })

• Old behaviour was to delete or update all rows in the table
• New behaviour is to throw an error: Empty criteria(s) are not allowed for the delete/update method.

Why?

This behaviour was not documented and is considered dangerous as it can allow a badly-formed object (e.g. with an undefined id) to inadvertently delete or update the whole table.

When the intention actually was to delete or update all rows, such queries can be rewritten using the QueryBuilder API:

await repository.createQueryBuilder().delete().execute()
// executes: DELETE FROM table_name
await repository.createQueryBuilder().update().set({ foo: 'bar' }).execute()
// executes: UPDATE table_name SET foo = 'bar'

An alternative method for deleting all rows is to use:

await repository.clear()
// executes: TRUNCATE TABLE table_name

Bug Fixes

• beforeQuery promises not awaited before query execution (#​11086) (b9842e3), closes #​11085 #​11085
• change how array columns are compared on column changed detection (#​11269) (a61654e), closes #​5967
• cleanup after streaming in sap hana (#​11399) (fadad1a)
• mongo: propagate aggregate method's generic type to its returned cursor (#​10754) (56f1898)
• prevent error when replication is undefined (#​11423) (61a6f97)
• update/delete/softDelete by criteria of condition objects (#​10910)

Features

• add FormattedConsoleLogger (#​11401) (4c8fc3a), closes #​10801
• add new foreign key decorator, and entity schemas options (#​11144) (6ebae3b), closes #​4569
• Add query timeout support for MySql (#​10846) (046aebe)
• generate ESM migrations via esm flag (#​10802) (7c5ea99), closes #​10801
• publish PR releases using pkg.pr.new (274bdf2)

Performance Improvements

• query-runner: use Date.now() instead of +new Date() (#​10811) (fe71a0c)

v0.3.22

Compare Source

Bug Fixes

• bulk insert NULL values in Oracle (#​11363) (bcaa0bf)
• ensure correct MSSQL parameter conversion in where conditions (ecae9f5), closes #​11285
• export QueryEvent before/after types (#​10688) (03dbc7a)
• FindOptionsSelect to use correct type when property is an object (#​11355) (834e856)
• incorrect table alias in insert orUpdate with Postgres driver (#​11082) (72c6991), closes #​11077
• inverse relation metadata not cyclic (50a660a)
• remove unnecessary import from JS migration (#​11327) (72145b8)
• remove unnecessary spaces in message when running non-fake migrations (#​10809) (c3bebdc)
• sap: incorrect handling of simple array/json data type (#​11322) (27b4207)
• sap: normalize deprecated/removed data types in SAP HANA Cloud (#​11356) (460ef02)
• sap: pass the configured schema to the db client (#​11321) (04ca83a)
• sql escape issues identified by CodeQL (#​11338) (863caf1)
• update mongodb connection options (#​11310) (81bb9d5)
• version detection for Postgres derived variants (#​11375) (3d79786)

Features

• postgres: support macaddr8 column type (b0ea913)
• Send DriverInfo to MongoDB client (#​11214) (a29e047)
• Support Expo SQLite Next (7b242e1)

Reverts

• Revert "fix: nested transactions issues (#​10210)" (7aa4f3c), closes #​10210

v0.3.21

Compare Source

Bug Fixes

• Add support for better-sqlite3 v10 and 11 (#​11096) (6c0c2ba)
• composite key save issue (#​10672) (83567f5)
• moved reflect-metadata to peerDependencies and set version to "^0.1.14 || ^0.2.0" (#​10779) (e7649d2)
• npm-readme: resolve missing image file (#​11290) (c554f58)
• npm-readme: resolve missing image file pt. 2 (#​11291) (981cf82)
• Update mssql allowed version to fix vulnerability. (#​10933) (3a51160)
• Fix maximum call stack error (#​10733) (7a384be0)
• use sql-highlight instead of cli-highlight (#​11221) (1516cfe)

Performance Improvements

• improve results transformer performance (#​10349) (7bea198)

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

Branch automerge failure

This PR was configured for branch automerge. However, this is not possible, so it has been raised as a PR instead.

[renovate]

Autoclosing Skipped

This PR has been flagged for autoclosing. However, it is being skipped due to the branch being already modified. Please close/delete it manually or report a bug if you think this is in error.