VulnerableCode Package Details - pkg:npm/sequelize@6.28.1

Search for packages

Vulnerability	Summary	Fixed by
VCID-xn4n-x26m-5qdx Aliases: CVE-2026-30951 GHSA-6457-6jrx-69cr	Sequelize v6 Vulnerable to SQL Injection via JSON Column Cast Type SQL injection via unescaped cast type in JSON/JSONB `where` clause processing. The `_traverseJSON()` function splits JSON path keys on `::` to extract a cast type, which is interpolated raw into `CAST(... AS <type>)` SQL. An attacker who controls JSON object keys can inject arbitrary SQL and exfiltrate data from any table. Affected: v6.x through 6.37.7. v7 (`@sequelize/core`) is not affected.	6.37.8 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-xn4n-x26m-5qdx
Aliases:
CVE-2026-30951
GHSA-6457-6jrx-69cr

Sequelize v6 Vulnerable to SQL Injection via JSON Column Cast Type SQL injection via unescaped cast type in JSON/JSONB `where` clause processing. The `_traverseJSON()` function splits JSON path keys on `::` to extract a cast type, which is interpolated raw into `CAST(... AS <type>)` SQL. An attacker who controls JSON object keys can inject arbitrary SQL and exfiltrate data from any table. Affected: v6.x through 6.37.7. v7 (`@sequelize/core`) is not affected.

6.37.8
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-3ugq-njms-xkgd	Unsafe fall-through in getWhereConditions Due to improper parameter filtering in the sequalize js library, can a attacker peform injection.	CVE-2023-22579 GHSA-vqfx-gj96-3w95
VCID-gzz4-8wz6-f3f9	Sequelize information disclosure vulnerability Due to improper input filtering in the sequalize js library, can malicious queries lead to sensitive information disclosure.	CVE-2023-22580 GHSA-8c25-f3mj-v6h8

Vulnerability

Summary

Aliases

VCID-3ugq-njms-xkgd

Unsafe fall-through in getWhereConditions Due to improper parameter filtering in the sequalize js library, can a attacker peform injection.

CVE-2023-22579
GHSA-vqfx-gj96-3w95

VCID-gzz4-8wz6-f3f9

Sequelize information disclosure vulnerability Due to improper input filtering in the sequalize js library, can malicious queries lead to sensitive information disclosure.

CVE-2023-22580
GHSA-8c25-f3mj-v6h8

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-07T20:48:27.986372+00:00	GHSA Importer	Fixing	VCID-3ugq-njms-xkgd	https://github.com/advisories/GHSA-vqfx-gj96-3w95	38.6.0
2026-06-07T20:48:26.123592+00:00	GHSA Importer	Fixing	VCID-gzz4-8wz6-f3f9	https://github.com/advisories/GHSA-8c25-f3mj-v6h8	38.6.0
2026-06-06T07:18:09.523401+00:00	GitLab Importer	Affected by	VCID-xn4n-x26m-5qdx	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/sequelize/CVE-2026-30951.yml	38.6.0
2026-06-04T17:17:58.576546+00:00	GithubOSV Importer	Fixing	VCID-gzz4-8wz6-f3f9	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-8c25-f3mj-v6h8/GHSA-8c25-f3mj-v6h8.json	38.6.0
2026-06-04T17:17:49.938837+00:00	GithubOSV Importer	Fixing	VCID-3ugq-njms-xkgd	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-vqfx-gj96-3w95/GHSA-vqfx-gj96-3w95.json	38.6.0
2026-06-02T04:44:03.054501+00:00	GitLab Importer	Fixing	VCID-gzz4-8wz6-f3f9	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/sequelize/CVE-2023-22580.yml	38.6.0
2026-06-02T04:44:02.616971+00:00	GitLab Importer	Fixing	VCID-3ugq-njms-xkgd	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/sequelize/CVE-2023-22579.yml	38.6.0