Skip to content

Potential SQL Injection in sequelize

High severity GitHub Reviewed Published Feb 18, 2019 to the GitHub Advisory Database • Updated Jan 9, 2023

Package

npm sequelize (npm)

Affected versions

<= 2.1.3

Patched versions

3.0.0

Description

Affected versions of sequelize are vulnerable to SQL Injection when user input is passed into findOne or into a statement such as where: "user input".

Recommendation

Update to version 3.0.0 or later.

Version 3.0.0 will introduce a number of breaking changes.
Thankfully, the project authors have provided a 2.x -> 3.x upgrade guide to ease this transition.

If upgrading is not an option, it is also possible to mitigate this by ensuring that all uses of where: "input" and findOne("input") are properly sanitized, such as by the use of a wrapper function.

References

Published to the GitHub Advisory Database Feb 18, 2019
Reviewed Jun 16, 2020
Last updated Jan 9, 2023

Severity

High

EPSS score

0.181%
(56th percentile)

Weaknesses

CVE ID

CVE-2016-10553

GHSA ID

GHSA-2v7q-2xqx-f4q5

Source code

No known source code
Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.