Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS13cmg5LWNqdjMtMmhwd84AAxxu

Sequelize vulnerable to SQL Injection via replacements

Impact

The SQL injection exploit is related to replacements. Here is such an example:

In the following query, some parameters are passed through replacements, and some are passed directly through the where option.

User.findAll({
  where: or(
    literal('soundex("firstName") = soundex(:firstName)'),
    { lastName: lastName },
  ),
  replacements: { firstName },
})

This is a very legitimate use case, but this query was vulnerable to SQL injection due to how Sequelize processed the query: Sequelize built a first query using the where option, then passed it over to sequelize.query which parsed the resulting SQL to inject all :replacements.

If the user passed values such as

{
  "firstName": "OR true; DROP TABLE users;",
  "lastName": ":firstName"
}

Sequelize would first generate this query:

SELECT * FROM users WHERE soundex("firstName") = soundex(:firstName) OR "lastName" = ':firstName'

Then would inject replacements in it, which resulted in this:

SELECT * FROM users WHERE soundex("firstName") = soundex('OR true; DROP TABLE users;') OR "lastName" = ''OR true; DROP TABLE users;''

As you can see this resulted in arbitrary user-provided SQL being executed.

Patches

The issue was fixed in Sequelize 6.19.1

Workarounds

Do not use the replacements and the where option in the same query if you are not using Sequelize >= 6.19.1

References

See this thread for more information: https://github.com/sequelize/sequelize/issues/14519

Snyk: https://security.snyk.io/vuln/SNYK-JS-SEQUELIZE-2932027

Permalink: https://github.com/advisories/GHSA-wrh9-cjv3-2hpw
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS13cmg5LWNqdjMtMmhwd84AAxxu
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: about 1 year ago
Updated: about 1 year ago

CVSS Score: 10.0
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Identifiers: GHSA-wrh9-cjv3-2hpw, CVE-2023-25813
References:

Repository: https://github.com/sequelize/sequelize
Blast Radius: 52.9

Affected Packages

npm:sequelize

Dependent packages: 4,888
Dependent repositories: 193,226
Downloads: 8,216,189 last month
Affected Version Ranges: < 6.19.1
Fixed in: 6.19.1
All affected versions: 0.2.2, 0.2.3, 0.2.4, 0.2.5, 0.2.6, 0.3.0, 0.4.0, 0.4.1, 0.4.2, 0.4.3, 1.0.0, 1.0.1, 1.0.2, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.2.0, 1.2.1, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.3.5, 1.3.6, 1.3.7, 1.4.0, 1.4.1, 1.5.0, 1.6.0, 1.7.0, 1.7.1, 1.7.2, 1.7.3, 1.7.4, 1.7.5, 1.7.7, 1.7.8, 1.7.9, 1.7.10, 1.7.11, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 3.0.0, 3.0.1, 3.1.0, 3.1.1, 3.2.0, 3.3.0, 3.3.1, 3.3.2, 3.4.0, 3.4.1, 3.5.0, 3.5.1, 3.6.0, 3.7.0, 3.7.1, 3.8.0, 3.9.0, 3.10.0, 3.11.0, 3.12.0, 3.12.1, 3.12.2, 3.13.0, 3.14.0, 3.14.1, 3.14.2, 3.15.0, 3.15.1, 3.16.0, 3.17.0, 3.17.1, 3.17.2, 3.17.3, 3.18.0, 3.19.0, 3.19.1, 3.19.2, 3.19.3, 3.20.0, 3.21.0, 3.22.0, 3.23.0, 3.23.1, 3.23.2, 3.23.3, 3.23.4, 3.23.5, 3.23.6, 3.24.0, 3.24.1, 3.24.2, 3.24.3, 3.24.4, 3.24.5, 3.24.6, 3.24.7, 3.24.8, 3.25.0, 3.25.1, 3.26.0, 3.27.0, 3.28.0, 3.29.0, 3.30.0, 3.30.1, 3.30.2, 3.30.3, 3.30.4, 3.31.0, 3.31.1, 3.31.2, 3.32.1, 3.33.0, 3.34.0, 3.35.0, 3.35.1, 4.0.0, 4.1.0, 4.2.0, 4.2.1, 4.3.0, 4.3.1, 4.3.2, 4.4.0, 4.4.1, 4.4.2, 4.4.3, 4.4.4, 4.4.5, 4.4.6, 4.4.7, 4.4.8, 4.4.9, 4.4.10, 4.5.0, 4.6.0, 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.7.4, 4.7.5, 4.8.0, 4.8.1, 4.8.2, 4.8.3, 4.8.4, 4.9.0, 4.10.0, 4.10.1, 4.10.2, 4.10.3, 4.11.0, 4.11.1, 4.11.2, 4.11.3, 4.11.4, 4.11.5, 4.11.6, 4.11.7, 4.12.0, 4.13.0, 4.13.1, 4.13.2, 4.13.3, 4.13.4, 4.13.5, 4.13.6, 4.13.7, 4.13.8, 4.13.9, 4.13.10, 4.13.11, 4.13.12, 4.13.13, 4.13.14, 4.13.15, 4.13.16, 4.13.17, 4.14.0, 4.15.0, 4.15.1, 4.15.2, 4.16.0, 4.16.1, 4.16.2, 4.17.0, 4.17.1, 4.17.2, 4.18.0, 4.19.0, 4.20.0, 4.20.1, 4.20.2, 4.20.3, 4.21.0, 4.22.0, 4.22.1, 4.22.2, 4.22.3, 4.22.4, 4.22.5, 4.22.6, 4.22.7, 4.22.8, 4.22.9, 4.22.10, 4.22.11, 4.22.12, 4.22.13, 4.22.14, 4.22.15, 4.22.16, 4.23.0, 4.23.1, 4.23.2, 4.23.3, 4.23.4, 4.24.0, 4.25.0, 4.25.1, 4.25.2, 4.26.0, 4.27.0, 4.28.0, 4.28.1, 4.28.2, 4.28.3, 4.28.4, 4.28.5, 4.28.6, 4.28.7, 4.28.8, 4.29.0, 4.29.1, 4.29.2, 4.29.3, 4.30.0, 4.30.1, 4.30.2, 4.31.0, 4.31.1, 4.31.2, 4.32.0, 4.32.1, 4.32.2, 4.32.3, 4.32.4, 4.32.5, 4.32.6, 4.32.7, 4.33.0, 4.33.1, 4.33.2, 4.33.3, 4.33.4, 4.34.0, 4.34.1, 4.35.0, 4.35.1, 4.35.2, 4.35.3, 4.35.4, 4.35.5, 4.36.0, 4.36.1, 4.37.0, 4.37.1, 4.37.2, 4.37.3, 4.37.4, 4.37.5, 4.37.6, 4.37.7, 4.37.8, 4.37.9, 4.37.10, 4.38.0, 4.38.1, 4.39.0, 4.39.1, 4.40.0, 4.41.0, 4.41.1, 4.41.2, 4.42.0, 4.42.1, 4.43.0, 4.43.1, 4.43.2, 4.44.0, 4.44.1, 4.44.2, 4.44.3, 4.44.4, 5.1.0, 5.1.1, 5.2.0, 5.2.1, 5.2.2, 5.2.3, 5.2.4, 5.2.5, 5.2.6, 5.2.7, 5.2.8, 5.2.9, 5.2.10, 5.2.11, 5.2.12, 5.2.13, 5.2.14, 5.2.15, 5.3.0, 5.3.1, 5.3.2, 5.3.3, 5.3.4, 5.3.5, 5.4.0, 5.5.0, 5.5.1, 5.6.0, 5.6.1, 5.7.0, 5.7.1, 5.7.2, 5.7.3, 5.7.4, 5.7.5, 5.7.6, 5.8.0, 5.8.1, 5.8.2, 5.8.3, 5.8.4, 5.8.5, 5.8.6, 5.8.7, 5.8.8, 5.8.9, 5.8.10, 5.8.11, 5.8.12, 5.9.0, 5.9.1, 5.9.2, 5.9.3, 5.9.4, 5.9.5, 5.10.0, 5.10.1, 5.10.2, 5.10.3, 5.11.0, 5.12.0, 5.12.1, 5.12.2, 5.12.3, 5.13.0, 5.13.1, 5.14.0, 5.15.0, 5.15.1, 5.15.2, 5.16.0, 5.17.0, 5.17.1, 5.17.2, 5.18.0, 5.18.1, 5.18.2, 5.18.3, 5.18.4, 5.19.0, 5.19.1, 5.19.2, 5.19.3, 5.19.4, 5.19.5, 5.19.6, 5.19.7, 5.19.8, 5.20.0, 5.21.0, 5.21.1, 5.21.2, 5.21.3, 5.21.4, 5.21.5, 5.21.6, 5.21.7, 5.21.8, 5.21.9, 5.21.10, 5.21.11, 5.21.12, 5.21.13, 5.22.0, 5.22.1, 5.22.2, 5.22.3, 5.22.4, 5.22.5, 6.1.0, 6.1.1, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.4.0, 6.5.0, 6.5.1, 6.6.0, 6.6.1, 6.6.2, 6.6.4, 6.6.5, 6.7.0, 6.8.0, 6.9.0, 6.10.0, 6.11.0, 6.12.0, 6.12.1, 6.12.2, 6.12.3, 6.12.4, 6.12.5, 6.13.0, 6.14.0, 6.14.1, 6.15.0, 6.15.1, 6.16.0, 6.16.1, 6.16.2, 6.16.3, 6.17.0, 6.18.0, 6.19.0
All unaffected versions: 6.19.1, 6.19.2, 6.20.0, 6.20.1, 6.21.0, 6.21.1, 6.21.2, 6.21.3, 6.21.4, 6.21.5, 6.21.6, 6.22.0, 6.22.1, 6.23.0, 6.23.1, 6.23.2, 6.24.0, 6.25.0, 6.25.1, 6.25.2, 6.25.3, 6.25.4, 6.25.5, 6.25.6, 6.25.7, 6.25.8, 6.26.0, 6.27.0, 6.28.0, 6.28.1, 6.28.2, 6.29.0, 6.29.1, 6.29.2, 6.29.3, 6.30.0, 6.31.0, 6.31.1, 6.32.0, 6.32.1, 6.33.0, 6.34.0, 6.35.0, 6.35.1, 6.35.2, 6.36.0, 6.37.0, 6.37.1, 6.37.2, 6.37.3