Advisories for Npm/Typeorm package

Blind SQL injection vulnerability in UpdateQueryBuilder and SoftDeleteQueryBuilder affecting MySQL and MariaDB users. UpdateQueryBuilder and SoftDeleteQueryBuilder (including their addOrderBy variants) do not validate the order parameter against an allowlist of permitted values (ASC/DESC). The caller-supplied value is stored verbatim and concatenated directly into the generated SQL string without quoting or parameterization. SelectQueryBuilder.orderBy performs this validation correctly; the affected builders do not. If any code path passes user-controlled input to orderBy/addOrderBy …

SQL Injection vulnerability in TypeORM before 0.3.26 via crafted request to repository.save or repository.update due to the sqlstring call using stringifyObjects default to false.

The findOne function in TypeORM before 0.3.0 can either be supplied with a string or a FindOneOptions object. When input to the function is a user-controlled parsed JSON object, supplying a crafted FindOneOptions instead of an id string leads to SQL injection. NOTE: the vendor's position is that the user's application is responsible for input validation

Prototype pollution vulnerability in the TypeORM package may allow attackers to add or modify Object properties leading to further denial of service or SQL injection attacks.

Versions of typeorm before 0.1.15 are vulnerable to SQL Injection. Field names are not properly validated allowing attackers to inject SQL statements and execute arbitrary SQL queries.

Versions of typeorm before 0.1.15 are vulnerable to SQL Injection. Field names are not properly validated allowing attackers to inject SQL statements and execute arbitrary SQL queries. Recommendation Upgrade to version 0.1.15