VulnerableCode Package Details - pkg:npm/sequelize@5.8.12

Staging Environment: Content and features may be unstable or change without notice.

Search for packages

Package details: pkg:npm/sequelize@5.8.12

Essentials
History (5)

purl	pkg:npm/sequelize@5.8.12

Next non-vulnerable version	6.37.8
Latest non-vulnerable version	7.0.0-next.1
Risk	4.5

Vulnerabilities affecting this package (4)

Vulnerability	Summary	Fixed by
VCID-3ugq-njms-xkgd Aliases: CVE-2023-22579 GHSA-vqfx-gj96-3w95	Unsafe fall-through in getWhereConditions Due to improper parameter filtering in the sequalize js library, can a attacker peform injection.	6.28.1 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 7.0.0-alpha.1 Affected by 0 other vulnerabilities. 7.0.0-next.1 Affected by 0 other vulnerabilities.
VCID-gzz4-8wz6-f3f9 Aliases: CVE-2023-22580 GHSA-8c25-f3mj-v6h8	Sequelize information disclosure vulnerability Due to improper input filtering in the sequalize js library, can malicious queries lead to sensitive information disclosure.	6.28.1 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 7.0.0-alpha.1 Affected by 0 other vulnerabilities. 7.0.0-next.1 Affected by 0 other vulnerabilities.
VCID-hnqn-f4z6-m7gf Aliases: CVE-2019-10752 GHSA-m9jw-237r-gvfv	Sequelize is vulnerable to SQL Injection due to `sequelize.json()` helper function not escaping values properly when formatting sub paths for JSON queries for MySQL, MariaDB and SQLite.	5.15.1 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-zk15-66xk-2ydf Aliases: CVE-2023-25813 GHSA-wrh9-cjv3-2hpw	Sequelize vulnerable to SQL Injection via replacements Sequelize is a Node.js ORM tool. In versions prior to 6.19.1 a SQL injection exploit exists related to replacements. Parameters which are passed through replacements are not properly escaped which can lead to arbitrary SQL injection depending on the specific queries in use. The issue has been fixed in Sequelize 6.19.1. Users are advised to upgrade. Users unable to upgrade should not use the `replacements` and the `where` option in the same query.	6.19.1 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerabilities fixed by this package (1)

Vulnerability	Summary	Aliases
VCID-hrt8-8z9v-euh8	Sequelize all versions prior are vulnerable to SQL Injection due to JSON path keys not being properly escaped for the MySQL/MariaDB dialects.	CVE-2019-10748 GHSA-j9xp-92vc-559j

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-06T03:30:32.836612+00:00	GitLab Importer	Affected by	VCID-zk15-66xk-2ydf	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/sequelize/CVE-2023-25813.yml	38.6.0
2026-06-06T03:29:16.487948+00:00	GitLab Importer	Affected by	VCID-gzz4-8wz6-f3f9	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/sequelize/CVE-2023-22580.yml	38.6.0
2026-06-06T03:28:50.751007+00:00	GitLab Importer	Affected by	VCID-3ugq-njms-xkgd	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/sequelize/CVE-2023-22579.yml	38.6.0
2026-06-04T20:25:04.555228+00:00	GitLab Importer	Affected by	VCID-hnqn-f4z6-m7gf	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/sequelize/CVE-2019-10752.yml	38.6.0
2026-06-04T16:19:38.047875+00:00	GitLab Importer	Fixing	VCID-hrt8-8z9v-euh8	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/sequelize/CVE-2019-10748.yml	38.6.0