Skip to content

SQL Injection in sequelize

High severity GitHub Reviewed Published Oct 24, 2017 to the GitHub Advisory Database • Updated Jan 9, 2023

Package

npm sequelize (npm)

Affected versions

<= 2.0.0-rc7

Patched versions

2.0.0-rc8

Description

Versions 2.0.0-rc-7 and earlier of sequelize are affected by a SQL injection vulnerability when user input is passed into the order parameter.

Proof of Concept

Test.findAndCountAll({
where: { id :1 },
order : [['id', 'UNTRUSTED USER INPUT']]
})

Recommendation

Update to version 2.0.0-rc8 or later

References

Published to the GitHub Advisory Database Oct 24, 2017
Reviewed Jun 16, 2020
Last updated Jan 9, 2023

Severity

High

Weaknesses

CVE ID

CVE-2015-1369

GHSA ID

GHSA-xqg8-cv3h-xppv

Source code

Checking history
See something to contribute? Suggest improvements for this vulnerability.