js · typeormHeads-up
TypeORM Blind SQL Injection in UpdateQueryBuilder and SoftDeleteQueryBuilder (MySQL/MariaDB)
Blind SQL injection vulnerability in UpdateQueryBuilder and SoftDeleteQueryBuilder for MySQL/MariaDB: the order parameter is not validated against an allowlist,
What changed
Blind SQL injection vulnerability in UpdateQueryBuilder and SoftDeleteQueryBuilder for MySQL/MariaDB: the order parameter is not validated against an allowlist, allowing arbitrary SQL injection via sort direction.
Who it affects
TypeORM users on MySQL or MariaDB who pass user-controlled input to orderBy/addOrderBy on update or soft-delete queries.
What to do today
Upgrade to TypeORM 0.3.29 or 1.0.0, or manually validate the order argument as described in the advisory.
The trail
Collected→
Audited→
Written→
Published