Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLW05anctMjM3ci1ndmZ2

Critical EPSS: 0.00427% (0.61514 Percentile) EPSS:
Permalink JSON

SQL Injection in sequelize

Affected Packages Affected Versions Fixed Versions
npm:sequelize
PURL: pkg:npm/sequelize
< 4.44.3 4.44.3
4,888 Dependent packages
193,226 Dependent repositories
9,131,743 Downloads last month

Affected Version Ranges

All affected versions

0.0.0-development, 0.2.2, 0.2.3, 0.2.4, 0.2.5, 0.2.6, 0.3.0, 0.4.0, 0.4.1, 0.4.2, 0.4.3, 1.0.0, 1.0.1, 1.0.2, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.2.0, 1.2.1, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.3.5, 1.3.6, 1.3.7, 1.4.0, 1.4.1, 1.5.0, 1.5.0-alpha, 1.5.0-beta, 1.5.0-beta-2, 1.6.0, 1.6.0-alpha-1, 1.6.0-alpha-2, 1.6.0-alpha-3, 1.6.0-beta4, 1.6.0-beta-1, 1.6.0-beta-2, 1.6.0-beta-3, 1.7.0, 1.7.0-alpha1, 1.7.0-alpha2, 1.7.0-alpha3, 1.7.0-beta.0, 1.7.0-beta.1, 1.7.0-beta.2, 1.7.0-beta.3b, 1.7.0-beta.4a, 1.7.0-beta.5, 1.7.0-beta6, 1.7.0-beta7, 1.7.0-beta8, 1.7.0-rc1, 1.7.0-rc2, 1.7.0-rc3, 1.7.0-rc4, 1.7.0-rc5, 1.7.0-rc6, 1.7.0-rc7, 1.7.0-rc8, 1.7.0-rc9, 1.7.1, 1.7.2, 1.7.3, 1.7.4, 1.7.5, 1.7.7, 1.7.8, 1.7.9, 1.7.10, 1.7.11, 2.0.0, 2.0.0-alpha1, 2.0.0-alpha2, 2.0.0-alpha3, 2.0.0-beta.0, 2.0.0-beta.1, 2.0.0-beta.2, 2.0.0-beta.3, 2.0.0-beta.4, 2.0.0-beta.5, 2.0.0-beta.6, 2.0.0-beta.7, 2.0.0-beta.8, 2.0.0-dev1, 2.0.0-dev2, 2.0.0-dev3, 2.0.0-dev4, 2.0.0-dev5, 2.0.0-dev6, 2.0.0-dev7, 2.0.0-dev8, 2.0.0-dev9, 2.0.0-dev10, 2.0.0-dev11, 2.0.0-dev12, 2.0.0-dev13, 2.0.0-rc1, 2.0.0-rc2, 2.0.0-rc3, 2.0.0-rc4, 2.0.0-rc5, 2.0.0-rc6, 2.0.0-rc7, 2.0.0-rc8, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 3.0.0, 3.0.1, 3.1.0, 3.1.1, 3.2.0, 3.3.0, 3.3.1, 3.3.2, 3.4.0, 3.4.1, 3.5.0, 3.5.1, 3.6.0, 3.7.0, 3.7.1, 3.8.0, 3.9.0, 3.10.0, 3.11.0, 3.12.0, 3.12.1, 3.12.2, 3.13.0, 3.14.0, 3.14.1, 3.14.2, 3.15.0, 3.15.1, 3.16.0, 3.17.0, 3.17.1, 3.17.2, 3.17.3, 3.18.0, 3.19.0, 3.19.1, 3.19.2, 3.19.3, 3.20.0, 3.21.0, 3.22.0, 3.23.0, 3.23.1, 3.23.2, 3.23.3, 3.23.4, 3.23.5, 3.23.6, 3.24.0, 3.24.1, 3.24.2, 3.24.3, 3.24.4, 3.24.5, 3.24.6, 3.24.7, 3.24.8, 3.25.0, 3.25.1, 3.26.0, 3.27.0, 3.28.0, 3.29.0, 3.30.0, 3.30.1, 3.30.2, 3.30.3, 3.30.4, 3.31.0, 3.31.1, 3.31.2, 3.32.1, 3.33.0, 3.34.0, 3.35.0, 3.35.1, 4.0.0, 4.0.0-0, 4.0.0-1, 4.0.0-2, 4.1.0, 4.2.0, 4.2.1, 4.3.0, 4.3.1, 4.3.2, 4.4.0, 4.4.1, 4.4.2, 4.4.3, 4.4.4, 4.4.5, 4.4.6, 4.4.7, 4.4.8, 4.4.9, 4.4.10, 4.5.0, 4.6.0, 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.7.4, 4.7.5, 4.8.0, 4.8.1, 4.8.2, 4.8.3, 4.8.4, 4.9.0, 4.10.0, 4.10.1, 4.10.2, 4.10.3, 4.11.0, 4.11.1, 4.11.2, 4.11.3, 4.11.4, 4.11.5, 4.11.6, 4.11.7, 4.12.0, 4.13.0, 4.13.1, 4.13.2, 4.13.3, 4.13.4, 4.13.5, 4.13.6, 4.13.7, 4.13.8, 4.13.9, 4.13.10, 4.13.11, 4.13.12, 4.13.13, 4.13.14, 4.13.15, 4.13.16, 4.13.17, 4.14.0, 4.15.0, 4.15.1, 4.15.2, 4.16.0, 4.16.1, 4.16.2, 4.17.0, 4.17.1, 4.17.2, 4.18.0, 4.19.0, 4.20.0, 4.20.1, 4.20.2, 4.20.3, 4.21.0, 4.22.0, 4.22.1, 4.22.2, 4.22.3, 4.22.4, 4.22.5, 4.22.6, 4.22.7, 4.22.8, 4.22.9, 4.22.10, 4.22.11, 4.22.12, 4.22.13, 4.22.14, 4.22.15, 4.22.16, 4.23.0, 4.23.1, 4.23.2, 4.23.3, 4.23.4, 4.24.0, 4.25.0, 4.25.1, 4.25.2, 4.26.0, 4.27.0, 4.28.0, 4.28.1, 4.28.2, 4.28.3, 4.28.4, 4.28.5, 4.28.6, 4.28.7, 4.28.8, 4.29.0, 4.29.1, 4.29.2, 4.29.3, 4.30.0, 4.30.1, 4.30.2, 4.31.0, 4.31.1, 4.31.2, 4.32.0, 4.32.1, 4.32.2, 4.32.3, 4.32.4, 4.32.5, 4.32.6, 4.32.7, 4.33.0, 4.33.1, 4.33.2, 4.33.3, 4.33.4, 4.34.0, 4.34.1, 4.35.0, 4.35.1, 4.35.2, 4.35.3, 4.35.4, 4.35.5, 4.36.0, 4.36.1, 4.37.0, 4.37.1, 4.37.2, 4.37.3, 4.37.4, 4.37.5, 4.37.6, 4.37.7, 4.37.8, 4.37.9, 4.37.10, 4.38.0, 4.38.1, 4.39.0, 4.39.1, 4.40.0, 4.41.0, 4.41.1, 4.41.2, 4.42.0, 4.42.1, 4.43.0, 4.43.1, 4.43.2, 4.44.0, 4.44.1, 4.44.2

All unaffected versions

4.44.3, 4.44.4, 5.1.0, 5.1.1, 5.2.0, 5.2.1, 5.2.2, 5.2.3, 5.2.4, 5.2.5, 5.2.6, 5.2.7, 5.2.8, 5.2.9, 5.2.10, 5.2.11, 5.2.12, 5.2.13, 5.2.14, 5.2.15, 5.3.0, 5.3.1, 5.3.2, 5.3.3, 5.3.4, 5.3.5, 5.4.0, 5.5.0, 5.5.1, 5.6.0, 5.6.1, 5.7.0, 5.7.1, 5.7.2, 5.7.3, 5.7.4, 5.7.5, 5.7.6, 5.8.0, 5.8.1, 5.8.2, 5.8.3, 5.8.4, 5.8.5, 5.8.6, 5.8.7, 5.8.8, 5.8.9, 5.8.10, 5.8.11, 5.8.12, 5.9.0, 5.9.1, 5.9.2, 5.9.3, 5.9.4, 5.9.5, 5.10.0, 5.10.1, 5.10.2, 5.10.3, 5.11.0, 5.12.0, 5.12.1, 5.12.2, 5.12.3, 5.13.0, 5.13.1, 5.14.0, 5.15.0, 5.15.1, 5.15.2, 5.16.0, 5.17.0, 5.17.1, 5.17.2, 5.18.0, 5.18.1, 5.18.2, 5.18.3, 5.18.4, 5.19.0, 5.19.1, 5.19.2, 5.19.3, 5.19.4, 5.19.5, 5.19.6, 5.19.7, 5.19.8, 5.20.0, 5.21.0, 5.21.1, 5.21.2, 5.21.3, 5.21.4, 5.21.5, 5.21.6, 5.21.7, 5.21.8, 5.21.9, 5.21.10, 5.21.11, 5.21.12, 5.21.13, 5.22.0, 5.22.1, 5.22.2, 5.22.3, 5.22.4, 5.22.5, 6.1.0, 6.1.1, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.4.0, 6.5.0, 6.5.1, 6.6.0, 6.6.1, 6.6.2, 6.6.4, 6.6.5, 6.7.0, 6.8.0, 6.9.0, 6.10.0, 6.11.0, 6.12.0, 6.12.1, 6.12.2, 6.12.3, 6.12.4, 6.12.5, 6.13.0, 6.14.0, 6.14.1, 6.15.0, 6.15.1, 6.16.0, 6.16.1, 6.16.2, 6.16.3, 6.17.0, 6.18.0, 6.19.0, 6.19.1, 6.19.2, 6.20.0, 6.20.1, 6.21.0, 6.21.1, 6.21.2, 6.21.3, 6.21.4, 6.21.5, 6.21.6, 6.22.0, 6.22.1, 6.23.0, 6.23.1, 6.23.2, 6.24.0, 6.25.0, 6.25.1, 6.25.2, 6.25.3, 6.25.4, 6.25.5, 6.25.6, 6.25.7, 6.25.8, 6.26.0, 6.27.0, 6.28.0, 6.28.1, 6.28.2, 6.29.0, 6.29.1, 6.29.2, 6.29.3, 6.30.0, 6.31.0, 6.31.1, 6.32.0, 6.32.1, 6.33.0, 6.34.0, 6.35.0, 6.35.1, 6.35.2, 6.36.0, 6.37.0, 6.37.1, 6.37.2, 6.37.3, 6.37.4, 6.37.5, 6.37.6, 6.37.7

Affected versions of sequelize are vulnerable to SQL Injection. The function sequelize.json() incorrectly formatted sub paths for JSON queries, which allows attackers to inject SQL statements and execute arbitrary SQL queries if user input is passed to the query. Exploitation example:

return User.findAll({
  where: this.sequelize.json("data.id')) AS DECIMAL) = 1 DELETE YOLO INJECTIONS; -- ", 1)
});

Recommendation

If you are using sequelize 5.x, upgrade to version 5.15.1 or later.
If you are using sequelize 4.x, upgrade to version 4.44.3 or later.

References:

Identifiers

GHSA-m9jw-237r-gvfv

CVE-2019-10752

Risk

Severity

Critical

EPSS

EPSS Percentage: 0.00427

EPSS Percentile: 0.61514

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/sequelize/sequelize

Date and time

Published

about 6 years ago

Updated

about 2 years ago

API

JSON