SQL Injection in sequelize

Do your applications use this vulnerable package? Test your applications

Overview

sequelize versions prior to 3.17.0 are vulnerable to SQL Injection attacks if untrusted user input is passed into the order or limit parameters.

Example

models.User.findAll({
  limit: '1; DELETE FROM "Users" WHERE 1=1; --',
}).then(function (users) {
  console.log(users);
});

Remediation

Upgrade to version 3.17.0 or greater.

References

https://github.com/sequelize/sequelize/pull/5167
https://github.com/sequelize/sequelize/blob/master/changelog.md#3170
https://github.com/sequelize/sequelize/commit/d198d78182cbf1ea3ef1706740b35813a6aa0838

Snyk patch available for versions:

<=3.16.0 >=3.2.0
View patch

Attack Vector

Network
Attack Complexity

Low
Privileges Required

None
User Interaction

None
Scope

Unchanged
Confidentiality

Low
Integrity

Low
Availability

Low

Credit: Spencer Creasey
CWE: CWE-89
Snyk ID: npm:sequelize:20160106
Disclosed: 06 Jan, 2015
Published: 01 Apr, 2016

SQL Injection
Affecting sequelize package, versions >=0.2.2 <3.13.17

Overview

Example

Remediation

References

Snyk patch available for versions:

CVSS Score

SQL Injection Affecting sequelize package, versions >=0.2.2 <3.13.17

Overview

Example

Remediation

References

Snyk patch available for versions:

SQL Injection
Affecting sequelize package, versions >=0.2.2 <3.13.17