VulnerableCode Package Details - pkg:npm/sequelize@6.19.1

Search for packages

Vulnerability	Summary	Fixed by
VCID-3ugq-njms-xkgd Aliases: CVE-2023-22579 GHSA-vqfx-gj96-3w95	Unsafe fall-through in getWhereConditions Due to improper parameter filtering in the sequalize js library, can a attacker peform injection.	6.28.1 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 7.0.0-alpha.1 Affected by 0 other vulnerabilities. 7.0.0-next.1 Affected by 0 other vulnerabilities.
VCID-gzz4-8wz6-f3f9 Aliases: CVE-2023-22580 GHSA-8c25-f3mj-v6h8	Sequelize information disclosure vulnerability Due to improper input filtering in the sequalize js library, can malicious queries lead to sensitive information disclosure.	6.28.1 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 7.0.0-alpha.1 Affected by 0 other vulnerabilities. 7.0.0-next.1 Affected by 0 other vulnerabilities.
VCID-xn4n-x26m-5qdx Aliases: CVE-2026-30951 GHSA-6457-6jrx-69cr	Sequelize v6 Vulnerable to SQL Injection via JSON Column Cast Type SQL injection via unescaped cast type in JSON/JSONB `where` clause processing. The `_traverseJSON()` function splits JSON path keys on `::` to extract a cast type, which is interpolated raw into `CAST(... AS <type>)` SQL. An attacker who controls JSON object keys can inject arbitrary SQL and exfiltrate data from any table. Affected: v6.x through 6.37.7. v7 (`@sequelize/core`) is not affected.	6.37.8 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-3ugq-njms-xkgd
Aliases:
CVE-2023-22579
GHSA-vqfx-gj96-3w95

Unsafe fall-through in getWhereConditions Due to improper parameter filtering in the sequalize js library, can a attacker peform injection.

6.28.1
Affected by 1 other vulnerability.

7.0.0-alpha.1
Affected by 0 other vulnerabilities.

7.0.0-next.1
Affected by 0 other vulnerabilities.

VCID-gzz4-8wz6-f3f9
Aliases:
CVE-2023-22580
GHSA-8c25-f3mj-v6h8

Sequelize information disclosure vulnerability Due to improper input filtering in the sequalize js library, can malicious queries lead to sensitive information disclosure.

6.28.1
Affected by 1 other vulnerability.

7.0.0-alpha.1
Affected by 0 other vulnerabilities.

7.0.0-next.1
Affected by 0 other vulnerabilities.

VCID-xn4n-x26m-5qdx
Aliases:
CVE-2026-30951
GHSA-6457-6jrx-69cr

Sequelize v6 Vulnerable to SQL Injection via JSON Column Cast Type SQL injection via unescaped cast type in JSON/JSONB `where` clause processing. The `_traverseJSON()` function splits JSON path keys on `::` to extract a cast type, which is interpolated raw into `CAST(... AS <type>)` SQL. An attacker who controls JSON object keys can inject arbitrary SQL and exfiltrate data from any table. Affected: v6.x through 6.37.7. v7 (`@sequelize/core`) is not affected.

6.37.8
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-zk15-66xk-2ydf	Sequelize vulnerable to SQL Injection via replacements Sequelize is a Node.js ORM tool. In versions prior to 6.19.1 a SQL injection exploit exists related to replacements. Parameters which are passed through replacements are not properly escaped which can lead to arbitrary SQL injection depending on the specific queries in use. The issue has been fixed in Sequelize 6.19.1. Users are advised to upgrade. Users unable to upgrade should not use the `replacements` and the `where` option in the same query.	CVE-2023-25813 GHSA-wrh9-cjv3-2hpw

Vulnerability

Summary

Aliases

VCID-zk15-66xk-2ydf

Sequelize vulnerable to SQL Injection via replacements Sequelize is a Node.js ORM tool. In versions prior to 6.19.1 a SQL injection exploit exists related to replacements. Parameters which are passed through replacements are not properly escaped which can lead to arbitrary SQL injection depending on the specific queries in use. The issue has been fixed in Sequelize 6.19.1. Users are advised to upgrade. Users unable to upgrade should not use the `replacements` and the `where` option in the same query.

CVE-2023-25813
GHSA-wrh9-cjv3-2hpw

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-07T20:48:27.774739+00:00	GHSA Importer	Fixing	VCID-zk15-66xk-2ydf	https://github.com/advisories/GHSA-wrh9-cjv3-2hpw	38.6.0
2026-06-06T07:18:09.352529+00:00	GitLab Importer	Affected by	VCID-xn4n-x26m-5qdx	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/sequelize/CVE-2026-30951.yml	38.6.0
2026-06-06T03:29:17.169068+00:00	GitLab Importer	Affected by	VCID-gzz4-8wz6-f3f9	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/sequelize/CVE-2023-22580.yml	38.6.0
2026-06-06T03:28:51.394973+00:00	GitLab Importer	Affected by	VCID-3ugq-njms-xkgd	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/sequelize/CVE-2023-22579.yml	38.6.0
2026-06-04T17:18:01.403045+00:00	GithubOSV Importer	Fixing	VCID-zk15-66xk-2ydf	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-wrh9-cjv3-2hpw/GHSA-wrh9-cjv3-2hpw.json	38.6.0
2026-06-02T04:44:05.038586+00:00	GitLab Importer	Fixing	VCID-zk15-66xk-2ydf	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/sequelize/CVE-2023-25813.yml	38.6.0