Severity: high

Potential SQL Injection



Affected versions of sequelize are vulnerable to SQL Injection when user input is passed into findOne or into a statement such as where: "user input".


Update to version 3.0.0 or later.

Version 3.0.0 will introduce a number of breaking changes. Thankfully, the project authors have provided a 2.x -> 3.x upgrade guide to ease this transition.

If upgrading is not an option, it is also possible to mitigate this by ensuring that all uses of where: "input" and findOne("input") are properly sanitized, such as by the use of a wrapper function.

Have content suggestions? Send them to [email protected]

Advisory timeline

  1. published

    Advisory published
    Oct 31st, 2016
  2. reported

    Initial report by Anonymous
    May 5th, 2016