TypeORM SQL Injection Vulnerability in MySQL Integration

A SQL injection vulnerability has been identified in TypeORM versions prior to 0.3.26, specifically when used with MySQL or the mysql2 client. The issue arises because TypeORM did not set the 'stringifyObjects' option to true by default, allowing nested JSON objects to be injected into SQL queries via 'repository.save' or 'repository.update' methods. This vulnerability could be exploited to bypass field-level update restrictions, modify arbitrary columns such as user roles, and potentially escalate privileges, depending on the context.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can manipulate SQL queries to bypass restrictions, modify data, and potentially escalate privileges.

Reproduction

To reproduce this vulnerability, use TypeORM with a MySQL database and a version prior to 0.3.26. Pass nested JSON objects into 'repository.save' or 'repository.update' methods without flattening the data. The absence of the 'stringifyObjects' option set to true will allow the injection of malicious payloads that exploit the SQL injection vulnerability.

Remediation

Upgrade TypeORM to version 0.3.26 or later. If using TypeORM with MySQL, ensure that 'stringifyObjects' is set to true in the connection options. After updating, review and test application functionality to ensure that the update has been applied correctly and that no new issues have been introduced.