GHSA-9ggv-8w38-r7pm: TypeORM: SQL Injection in UpdateQueryBuilder/SoftDeleteQueryBuilder orderBy (MySQL/MariaDB)

Blind SQL injection vulnerability in UpdateQueryBuilder and SoftDeleteQueryBuilder affecting MySQL and MariaDB users.

UpdateQueryBuilder and SoftDeleteQueryBuilder (including their addOrderBy variants) do not validate the order parameter against an allowlist of permitted values (ASC/DESC). The caller-supplied value is stored verbatim and concatenated directly into the generated SQL string without quoting or parameterization. SelectQueryBuilder.orderBy performs this validation correctly; the affected builders do not.

If any code path passes user-controlled input to orderBy/addOrderBy on an update or soft-delete query, an attacker can inject arbitrary SQL via the sort direction — even when the column name itself is hardcoded.

Demonstrated impact includes:

• Data exfiltration via time-based blind extraction (e.g. using SLEEP() to infer secret values bit by bit)
• Row targeting manipulation in queries using LIMIT patterns
• Denial of service via SLEEP()-based query exhaustion

CVSS 3.1: 8.6 (High) — AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

Affected files (relative to commit 73fda419):

• src/query-builder/UpdateQueryBuilder.ts: lines 383–419 and 718–744
• src/query-builder/SoftDeleteQueryBuilder.ts: lines 352–388 and 520–546

The vulnerability was introduced in commit 03799bd2 (v0.1.12) and is present through the latest release (v0.3.28).