Severity: critical

SQL Injection



Affected versions of sequelize cast arrays to strings and fail to properly escape the resulting SQL statement, resulting in a SQL injection vulnerability.

Proof of Concept

In Postgres, SQLite, and Microsoft SQL Server there is an issue where arrays are treated as strings and improperly escaped.

Example Query:

database.query('SELECT * FROM TestTable WHERE Name IN (:names)', {
  replacements: {
    names: directCopyOfUserInput

If the user inputs the value of :names as:

["test", "'); DELETE TestTable WHERE Id = 1 --')"]

The resulting SQL statement will be:

SELECT Id FROM Table WHERE Name IN ('test', '\'); DELETE TestTable WHERE Id = 1 --')

As the backslash has no special meaning in PostgreSQL, MSSQL, or SQLite, the statement will delete the record in TestTable with an Id of 1.


Update to version 3.20.0 or later.

Have content suggestions? Send them to [email protected]

Advisory timeline

  1. published

    Advisory published
    Oct 31st, 2016
  2. reported

    Initial report by Leibale Eidelman
    Apr 18th, 2016