Search for packages
| purl | pkg:npm/sequelize@4.12.0 |
| Next non-vulnerable version | 6.37.8 |
| Latest non-vulnerable version | 7.0.0-next.1 |
| Risk | 4.5 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-3ugq-njms-xkgd
Aliases: CVE-2023-22579 GHSA-vqfx-gj96-3w95 |
Unsafe fall-through in getWhereConditions Due to improper parameter filtering in the sequalize js library, can a attacker peform injection. |
Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-gzz4-8wz6-f3f9
Aliases: CVE-2023-22580 GHSA-8c25-f3mj-v6h8 |
Sequelize information disclosure vulnerability Due to improper input filtering in the sequalize js library, can malicious queries lead to sensitive information disclosure. |
Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-hnqn-f4z6-m7gf
Aliases: CVE-2019-10752 GHSA-m9jw-237r-gvfv |
Sequelize is vulnerable to SQL Injection due to `sequelize.json()` helper function not escaping values properly when formatting sub paths for JSON queries for MySQL, MariaDB and SQLite. |
Affected by 4 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-hrt8-8z9v-euh8
Aliases: CVE-2019-10748 GHSA-j9xp-92vc-559j |
Sequelize all versions prior are vulnerable to SQL Injection due to JSON path keys not being properly escaped for the MySQL/MariaDB dialects. |
Affected by 4 other vulnerabilities. Affected by 5 other vulnerabilities. Affected by 4 other vulnerabilities. |
|
VCID-uuy7-v2qy-yfhv
Aliases: GHSA-fw4p-36j9-rrj3 GMS-2020-771 |
Denial of Service in sequelize Versions of `sequelize` prior to 4.44.4 are vulnerable to Denial of Service (DoS). The SQLite dialect fails to catch a `TypeError` exception for the `results` variable. The `results` value may be undefined and trigger the error on a `.map` call. This may allow attackers to submit malicious input that forces the exception and crashes the Node process. The following proof-of-concept crashes the Node process: ``` const Sequelize = require('sequelize'); const sequelize = new Sequelize({ dialect: 'sqlite', storage: 'database.sqlite' }); const TypeError = sequelize.define('TypeError', { name: Sequelize.STRING, }); TypeError.sync({force: true}).then(() => { return TypeError.create({name: "SELECT tbl_name FROM sqlite_master"}); }); ``` ## Recommendation Upgrade to version 4.44.4 or later. |
Affected by 3 other vulnerabilities. |
|
VCID-zk15-66xk-2ydf
Aliases: CVE-2023-25813 GHSA-wrh9-cjv3-2hpw |
Sequelize vulnerable to SQL Injection via replacements Sequelize is a Node.js ORM tool. In versions prior to 6.19.1 a SQL injection exploit exists related to replacements. Parameters which are passed through replacements are not properly escaped which can lead to arbitrary SQL injection depending on the specific queries in use. The issue has been fixed in Sequelize 6.19.1. Users are advised to upgrade. Users unable to upgrade should not use the `replacements` and the `where` option in the same query. |
Affected by 3 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-tccv-wk5y-jkde | NoSQL Injection in sequelize Versions of `sequelize` prior to 4.12.0 are vulnerable to NoSQL Injection. Query operators such as `$gt` are not properly sanitized and may allow an attacker to alter data queries, leading to NoSQL Injection. ## Recommendation Upgrade to version 4.12.0 or later |
GHSA-wfp9-vr4j-f49j
GMS-2019-139 |