npm - crud-query-parser - Versions - 0.0.1 - Mend

crud-query-parser 0.0.1

1 security vulnerability found in version 0.0.1

crud-query-parser SQL Injection vulnerability

high severity CVE-2025-32020

Affected versions: < 0.1.0

Impact

Improper neutralization of the order/sort parameter in the TypeORM adapter, which allows SQL injection.

You are impacted by this vulnerability if you are using the TypeORM adapter, ordering is enabled and you have not set-up a property filter.

Versions 0.0.1, 0.0.2 and 0.0.3 are affected by this vulnerability.

Patches

This vulnerability has been fixed in version 0.1.0 and newer, which introduces TypeORM field validation (enabled by default).

Workarounds

Add an allowlist of fields

List all valid fields and use the filterProperties function to filter out invalid fields before passing the crudRequest to the TypeOrmQueryAdapter. Here's an example:

crudRequest = filterProperties(crudRequest, ['id', 'title', 'category.name']);

Disable ordering

Cleanup the order field just before passing it to the TypeOrmQueryAdapter. Here's an example:

crudRequest.order = [];

No license issues detected.

This package version has a license in the source code.

This package version is available.

This package version has not been yanked and is still available for usage.