Skip to content

NoSQL Injection in sequelize

High severity GitHub Reviewed Published Jun 4, 2019 to the GitHub Advisory Database • Updated Apr 30, 2023

Package

npm sequelize (npm)

Affected versions

< 4.12.0

Patched versions

4.12.0

Description

Versions of sequelize prior to 4.12.0 are vulnerable to NoSQL Injection. Query operators such as $gt are not properly sanitized and may allow an attacker to alter data queries, leading to NoSQL Injection.

Recommendation

Upgrade to version 4.12.0 or later

References

Reviewed Jun 4, 2019
Published to the GitHub Advisory Database Jun 4, 2019
Last updated Apr 30, 2023

Severity

High

EPSS score

Weaknesses

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Learn more on MITRE.

CVE ID

No known CVE

GHSA ID

GHSA-wfp9-vr4j-f49j

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.