SQL Injection in sequelize
Critical severity
GitHub Reviewed
Published
Nov 6, 2019
to the GitHub Advisory Database
•
Updated Jan 9, 2023
Package
Affected versions
< 3.35.1
>= 4.0.0, < 4.44.3
>= 5.0.0, < 5.8.11
Patched versions
3.35.1
4.44.3
5.8.11
Description
Reviewed
Nov 5, 2019
Published to the GitHub Advisory Database
Nov 6, 2019
Last updated
Jan 9, 2023
Affected versions of
sequelizeare vulnerable to SQL Injection. The package fails to sanitize JSON path keys in the MariaDB and MySQL dialects, which may allow attackers to inject SQL statements and execute arbitrary SQL queries.Recommendation
If you are using
sequelize5.x, upgrade to version 5.8.11 or later.If you are using
sequelize4.x, upgrade to version 4.44.3 or later.If you are using
sequelize3.x, upgrade to version 3.35.1 or later.References