Search for packages
| purl | pkg:npm/sequelize@3.23.6 |
| Next non-vulnerable version | 6.37.8 |
| Latest non-vulnerable version | 7.0.0-next.1 |
| Risk | 4.5 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-3ugq-njms-xkgd
Aliases: CVE-2023-22579 GHSA-vqfx-gj96-3w95 |
Unsafe fall-through in getWhereConditions Due to improper parameter filtering in the sequalize js library, can a attacker peform injection. |
Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-gzz4-8wz6-f3f9
Aliases: CVE-2023-22580 GHSA-8c25-f3mj-v6h8 |
Sequelize information disclosure vulnerability Due to improper input filtering in the sequalize js library, can malicious queries lead to sensitive information disclosure. |
Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-hrt8-8z9v-euh8
Aliases: CVE-2019-10748 GHSA-j9xp-92vc-559j |
Sequelize all versions prior are vulnerable to SQL Injection due to JSON path keys not being properly escaped for the MySQL/MariaDB dialects. |
Affected by 4 other vulnerabilities. Affected by 4 other vulnerabilities. Affected by 5 other vulnerabilities. Affected by 4 other vulnerabilities. |
|
VCID-tccv-wk5y-jkde
Aliases: GHSA-wfp9-vr4j-f49j GMS-2019-139 |
NoSQL Injection in sequelize Versions of `sequelize` prior to 4.12.0 are vulnerable to NoSQL Injection. Query operators such as `$gt` are not properly sanitized and may allow an attacker to alter data queries, leading to NoSQL Injection. ## Recommendation Upgrade to version 4.12.0 or later |
Affected by 6 other vulnerabilities. |
|
VCID-uuy7-v2qy-yfhv
Aliases: GHSA-fw4p-36j9-rrj3 GMS-2020-771 |
Denial of Service in sequelize Versions of `sequelize` prior to 4.44.4 are vulnerable to Denial of Service (DoS). The SQLite dialect fails to catch a `TypeError` exception for the `results` variable. The `results` value may be undefined and trigger the error on a `.map` call. This may allow attackers to submit malicious input that forces the exception and crashes the Node process. The following proof-of-concept crashes the Node process: ``` const Sequelize = require('sequelize'); const sequelize = new Sequelize({ dialect: 'sqlite', storage: 'database.sqlite' }); const TypeError = sequelize.define('TypeError', { name: Sequelize.STRING, }); TypeError.sync({force: true}).then(() => { return TypeError.create({name: "SELECT tbl_name FROM sqlite_master"}); }); ``` ## Recommendation Upgrade to version 4.44.4 or later. |
Affected by 3 other vulnerabilities. |
|
VCID-v4z6-u42c-ukbh
Aliases: CVE-2019-10749 GHSA-2598-2f59-rmhq |
sequelize allows attackers to perform a SQL Injection due to the JSON path keys not being properly sanitized in the Postgres dialect. |
Affected by 4 other vulnerabilities. |
|
VCID-zk15-66xk-2ydf
Aliases: CVE-2023-25813 GHSA-wrh9-cjv3-2hpw |
Sequelize vulnerable to SQL Injection via replacements Sequelize is a Node.js ORM tool. In versions prior to 6.19.1 a SQL injection exploit exists related to replacements. Parameters which are passed through replacements are not properly escaped which can lead to arbitrary SQL injection depending on the specific queries in use. The issue has been fixed in Sequelize 6.19.1. Users are advised to upgrade. Users unable to upgrade should not use the `replacements` and the `where` option in the same query. |
Affected by 3 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-tufw-g33p-qqds | SQL Injection via GeoJSON SequelizeJS 3.23.4 is vulnerable to SQL injection via GeoJSON documents containing a value with a single quote. This vulnerability affects postresql/postgis as well as MySQL. This vulnerability only exists within GeoJSON documents using the function `ST_GeomFromGeoJSON` for postgresql/postgis and the function `GeomFromText` for mysql. SequelizeJS's `geometry` datatype is vulnerable. If you have SequelizeJS models with a field that has a datatype of 'Geometry' and run a mysql or postgresql/postgis backend, your application is vulnerable SequelizeJS is a popular ORM (Object Relational Mapper) for node. GeoJSON is a format for encoding a variety of geographic data structures. |
CVE-2016-1000225
GHSA-5v9h-q3gj-c32x GMS-2020-770 |