Affected versions of sequelize are vulnerable to SQL Injection in locations where user input is passed into the limit or order parameters of sequelize query calls, such as findOne or findAll.

Recommendation

Update to version 3.17.0 or later.

References

• https://nvd.nist.gov/vuln/detail/CVE-2016-10550
• sequelize/sequelize@f282d85
• GHSA-98pq-pmw9-4gpm
• https://www.npmjs.com/advisories/112