Potential SQL Injectionsequelize
Affected versions of
sequelize are vulnerable to SQL Injection when user input is passed into
findOne or into a statement such as
where: "user input".
Update to version 3.0.0 or later.
Version 3.0.0 will introduce a number of breaking changes. Thankfully, the project authors have provided a 2.x -> 3.x upgrade guide to ease this transition.
If upgrading is not an option, it is also possible to mitigate this by ensuring that all uses of
where: "input" and
findOne("input") are properly sanitized, such as by the use of a wrapper function.
publishedAdvisory publishedOct 31st, 2016
reportedInitial report by AnonymousMay 5th, 2016