Skip to content

Add CVSS 3.1 score for GHSA-w7q7-vjp8-7jv4 (typeorm SQL Injection) #6819

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
sunnypatell wants to merge 1 commit into
base: sunnypatell/advisory-improvement-6819
Choose a base branch
from
Open

Add CVSS 3.1 score for GHSA-w7q7-vjp8-7jv4 (typeorm SQL Injection) #6819

sunnypatell wants to merge 1 commit into from

Conversation

@sunnypatell
Copy link

@sunnypatell sunnypatell commented Feb 10, 2026

Changes

Added missing CVSS scoring to GHSA-w7q7-vjp8-7jv4 (SQL Injection in typeorm).

Added:

  • CVSS 3.1 vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (9.8 Critical)
  • PACKAGE reference to the typeorm repo

Reason for change

This advisory had no CVSS score at all. The vulnerability allows unauthenticated attackers to inject arbitrary SQL through unvalidated field names passed to typeorm's find() API, so the score should reflect full network-accessible SQL injection with no auth required.

CVSS justification

  • PR:N/UI:N because typeorm is used in web apps where user input reaches query methods without requiring authentication at the ORM layer
  • C:H/I:H/A:H because SQL injection gives full read/write/delete access to the database

The scoring is consistent with the related typeorm SQL injection CVE-2022-33171, which NVD scored identically at 9.8.

Supporting links

Add CVSS 3.1 score and package reference for GHSA-w7q7-vjp8-7jv4
7f0baae 
- added CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, score 9.8)
- added PACKAGE reference to typeorm repo
Copilot AI review requested due to automatic review settings February 10, 2026 01:38
@github-actions github-actions bot changed the base branch from main to sunnypatell/advisory-improvement-6819 February 10, 2026 01:39
Copilot AI reviewed Feb 10, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@sunnypatell