CVE-2025-32020: crud-query-parser SQL Injection vulnerability

April 9, 2025

Improper neutralization of the order/sort parameter in the TypeORM adapter, which allows SQL injection.

You are impacted by this vulnerability if you are using the TypeORM adapter, ordering is enabled and you have not set-up a property filter.

Versions 0.0.1, 0.0.2 and 0.0.3 are affected by this vulnerability.

References

github.com/Guichaguri/crud-query-parser
github.com/Guichaguri/crud-query-parser/security/advisories/GHSA-9r25-rp3p-h2w4
github.com/advisories/GHSA-9r25-rp3p-h2w4
nvd.nist.gov/vuln/detail/CVE-2025-32020

Code Behaviors & Features

Detect and mitigate CVE-2025-32020 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →