Headline
GHSA-9r25-rp3p-h2w4: crud-query-parser SQL Injection vulnerability
Impact
Improper neutralization of the order/sort parameter in the TypeORM adapter, which allows SQL injection.
You are impacted by this vulnerability if you are using the TypeORM adapter, ordering is enabled and you have not set-up a property filter.
Versions 0.0.1, 0.0.2 and 0.0.3 are affected by this vulnerability.
Patches
This vulnerability has been fixed in version 0.1.0 and newer, which introduces TypeORM field validation (enabled by default).
Workarounds
Add an allowlist of fields
List all valid fields and use the filterProperties function to filter out invalid fields before passing the crudRequest to the TypeOrmQueryAdapter. Here’s an example:
crudRequest = filterProperties(crudRequest, ['id', 'title', 'category.name']);
Disable ordering
Cleanup the order field just before passing it to the TypeOrmQueryAdapter. Here’s an example:
crudRequest.order = [];
Impact
Improper neutralization of the order/sort parameter in the TypeORM adapter, which allows SQL injection.
You are impacted by this vulnerability if you are using the TypeORM adapter, ordering is enabled and you have not set-up a property filter.
Versions 0.0.1, 0.0.2 and 0.0.3 are affected by this vulnerability.
Patches
This vulnerability has been fixed in version 0.1.0 and newer, which introduces TypeORM field validation (enabled by default).
Workarounds****Add an allowlist of fields
List all valid fields and use the filterProperties function to filter out invalid fields before passing the crudRequest to the TypeOrmQueryAdapter. Here’s an example:
crudRequest = filterProperties(crudRequest, ['id’, 'title’, ‘category.name’]);
Disable ordering
Cleanup the order field just before passing it to the TypeOrmQueryAdapter. Here’s an example:
References
- GHSA-9r25-rp3p-h2w4
- https://nvd.nist.gov/vuln/detail/CVE-2025-32020