CVE-2025-32020: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in crud-query-parser

9.3 CVSS

Description

The crud-query-parser library parses query parameters from HTTP requests and converts them to database queries. Improper neutralization of the order/sort parameter in the TypeORM adapter, which allows SQL injection. You are impacted by this vulnerability if you are using the TypeORM adapter, ordering is enabled and you have not set-up a property filter. This vulnerability is fixed in 0.1.0.

Classification

CVE ID: CVE-2025-32020

CVSS Base Severity: CRITICAL

CVSS Base Score: 9.3

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Problem Types

CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Affected Products

Vendor: Guichaguri

Product: crud-query-parser

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.04% (probability of being exploited)

EPSS Percentile: 11.44% (scored less or equal to compared to others)

EPSS Date: 2025-04-18 (when was this score calculated)

Stakeholder-Specific Vulnerability Categorization (SSVC)

SSVC Exploitation: none

SSVC Technical Impact: total

SSVC Automatable: true

References

https://nvd.nist.gov/vuln/detail/CVE-2025-32020
https://github.com/Guichaguri/crud-query-parser/security/advisories/GHSA-9r25-rp3p-h2w4

Timeline

2025-04-08 16:40:21 UTC
CVE

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in crud-query-parser
2025-04-09 13:15:34 UTC
Github Advisory Database (NPM)

[crud-query-parser] crud-query-parser SQL Injection vulnerability