{"url":"http://public2.vulnerablecode.io/api/packages/200400?format=json","purl":"pkg:npm/sequelize@1.7.0-beta8","type":"npm","namespace":"","name":"sequelize","version":"1.7.0-beta8","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"6.37.8","latest_non_vulnerable_version":"7.0.0-next.1","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/44469?format=json","vulnerability_id":"VCID-3ugq-njms-xkgd","summary":"Unsafe fall-through in getWhereConditions\nDue to improper parameter filtering in the sequalize js library, can a attacker peform injection.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-22579","reference_id":"","reference_type":"","scores":[{"value":"0.004","scoring_system":"epss","scoring_elements":"0.61085","published_at":"2026-06-05T12:55:00Z"},{"value":"0.004","scoring_system":"epss","scoring_elements":"0.61082","published_at":"2026-06-09T12:55:00Z"},{"value":"0.004","scoring_system":"epss","scoring_elements":"0.61063","published_at":"2026-06-08T12:55:00Z"},{"value":"0.004","scoring_system":"epss","scoring_elements":"0.61081","published_at":"2026-06-07T12:55:00Z"},{"value":"0.004","scoring_system":"epss","scoring_elements":"0.61036","published_at":"2026-06-04T12:55:00Z"},{"value":"0.004","scoring_system":"epss","scoring_elements":"0.61092","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-22579"},{"reference_url":"https://csirt.divd.nl/DIVD-2022-00020","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://csirt.divd.nl/DIVD-2022-00020"},{"reference_url":"https://csirt.divd.nl/DIVD-2022-00020/","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-03-18T14:45:28Z/"}],"url":"https://csirt.divd.nl/DIVD-2022-00020/"},{"reference_url":"https://github.com/sequelize/sequelize","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sequelize/sequelize"},{"reference_url":"https://github.com/sequelize/sequelize/discussions/15698","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sequelize/sequelize/discussions/15698"},{"reference_url":"https://github.com/sequelize/sequelize/pull/15375","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sequelize/sequelize/pull/15375"},{"reference_url":"https://github.com/sequelize/sequelize/pull/15699","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sequelize/sequelize/pull/15699"},{"reference_url":"https://github.com/sequelize/sequelize/releases/tag/v6.28.1","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sequelize/sequelize/releases/tag/v6.28.1"},{"reference_url":"https://github.com/sequelize/sequelize/releases/tag/v7.0.0-alpha.20","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sequelize/sequelize/releases/tag/v7.0.0-alpha.20"},{"reference_url":"https://csirt.divd.nl/CVE-2023-22579","reference_id":"CVE-2023-22579","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-03-18T14:45:28Z/"}],"url":"https://csirt.divd.nl/CVE-2023-22579"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-22579","reference_id":"CVE-2023-22579","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-22579"},{"reference_url":"https://github.com/advisories/GHSA-vqfx-gj96-3w95","reference_id":"GHSA-vqfx-gj96-3w95","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-vqfx-gj96-3w95"},{"reference_url":"https://github.com/sequelize/sequelize/security/advisories/GHSA-vqfx-gj96-3w95","reference_id":"GHSA-vqfx-gj96-3w95","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sequelize/sequelize/security/advisories/GHSA-vqfx-gj96-3w95"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/63970?format=json","purl":"pkg:npm/sequelize@6.28.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-xn4n-x26m-5qdx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/sequelize@6.28.1"},{"url":"http://public2.vulnerablecode.io/api/packages/637922?format=json","purl":"pkg:npm/sequelize@7.0.0-alpha.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/sequelize@7.0.0-alpha.1"},{"url":"http://public2.vulnerablecode.io/api/packages/63971?format=json","purl":"pkg:npm/sequelize@7.0.0-next.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/sequelize@7.0.0-next.1"}],"aliases":["CVE-2023-22579","GHSA-vqfx-gj96-3w95"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-3ugq-njms-xkgd"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/40724?format=json","vulnerability_id":"VCID-452z-1n62-e7ey","summary":"Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')\nsequelize is an Object-relational mapping, or a middleman to convert things from Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server into usable data for NodeJS. A fix was pushed out that fixed potential SQL injection in sequelize 2.1.3 and earlier.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2016-10553","reference_id":"","reference_type":"","scores":[{"value":"0.00266","scoring_system":"epss","scoring_elements":"0.50342","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00266","scoring_system":"epss","scoring_elements":"0.50321","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00266","scoring_system":"epss","scoring_elements":"0.50303","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00266","scoring_system":"epss","scoring_elements":"0.50331","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00266","scoring_system":"epss","scoring_elements":"0.50281","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00266","scoring_system":"epss","scoring_elements":"0.5035","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2016-10553"},{"reference_url":"https://github.com/sequelize/sequelize/blob/master/changelog.md#300","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sequelize/sequelize/blob/master/changelog.md#300"},{"reference_url":"https://nodesecurity.io/advisories/109","reference_id":"","reference_type":"","scores":[],"url":"https://nodesecurity.io/advisories/109"},{"reference_url":"https://www.npmjs.com/advisories/109","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.npmjs.com/advisories/109"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2016-10553","reference_id":"CVE-2016-10553","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2016-10553"},{"reference_url":"https://github.com/advisories/GHSA-2v7q-2xqx-f4q5","reference_id":"GHSA-2v7q-2xqx-f4q5","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-2v7q-2xqx-f4q5"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/52950?format=json","purl":"pkg:npm/sequelize@3.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3ugq-njms-xkgd"},{"vulnerability":"VCID-55gn-y6w5-fqax"},{"vulnerability":"VCID-gdrv-eh82-7ycn"},{"vulnerability":"VCID-gzz4-8wz6-f3f9"},{"vulnerability":"VCID-hrt8-8z9v-euh8"},{"vulnerability":"VCID-qraw-us96-3qej"},{"vulnerability":"VCID-rvxy-sfvz-r7bf"},{"vulnerability":"VCID-tccv-wk5y-jkde"},{"vulnerability":"VCID-tufw-g33p-qqds"},{"vulnerability":"VCID-uuy7-v2qy-yfhv"},{"vulnerability":"VCID-v4z6-u42c-ukbh"},{"vulnerability":"VCID-y51v-nwsy-dba4"},{"vulnerability":"VCID-zk15-66xk-2ydf"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/sequelize@3.0.0"}],"aliases":["CVE-2016-10553","GHSA-2v7q-2xqx-f4q5"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-452z-1n62-e7ey"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/40721?format=json","vulnerability_id":"VCID-55gn-y6w5-fqax","summary":"Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')\nsequelize is an Object-relational mapping, or a middleman to convert things from Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server into usable data for NodeJS If user input goes into the `limit` or `order` parameters, a malicious user can put in their own SQL statements. This affects sequelize 3.16.0 and earlier.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2016-10550","reference_id":"","reference_type":"","scores":[{"value":"0.00486","scoring_system":"epss","scoring_elements":"0.65796","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00486","scoring_system":"epss","scoring_elements":"0.65804","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00486","scoring_system":"epss","scoring_elements":"0.65784","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00486","scoring_system":"epss","scoring_elements":"0.65795","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00486","scoring_system":"epss","scoring_elements":"0.65743","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00486","scoring_system":"epss","scoring_elements":"0.65808","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2016-10550"},{"reference_url":"https://github.com/sequelize/sequelize/pull/5167/commits/f282d85e60e3df5e57ecdb82adccb4eaef404f03","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sequelize/sequelize/pull/5167/commits/f282d85e60e3df5e57ecdb82adccb4eaef404f03"},{"reference_url":"https://nodesecurity.io/advisories/112","reference_id":"","reference_type":"","scores":[],"url":"https://nodesecurity.io/advisories/112"},{"reference_url":"https://www.npmjs.com/advisories/112","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.npmjs.com/advisories/112"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2016-10550","reference_id":"CVE-2016-10550","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2016-10550"},{"reference_url":"https://github.com/advisories/GHSA-98pq-pmw9-4gpm","reference_id":"GHSA-98pq-pmw9-4gpm","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-98pq-pmw9-4gpm"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/52938?format=json","purl":"pkg:npm/sequelize@3.17.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3ugq-njms-xkgd"},{"vulnerability":"VCID-gdrv-eh82-7ycn"},{"vulnerability":"VCID-gzz4-8wz6-f3f9"},{"vulnerability":"VCID-hrt8-8z9v-euh8"},{"vulnerability":"VCID-qraw-us96-3qej"},{"vulnerability":"VCID-tccv-wk5y-jkde"},{"vulnerability":"VCID-tufw-g33p-qqds"},{"vulnerability":"VCID-uuy7-v2qy-yfhv"},{"vulnerability":"VCID-v4z6-u42c-ukbh"},{"vulnerability":"VCID-y51v-nwsy-dba4"},{"vulnerability":"VCID-zk15-66xk-2ydf"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/sequelize@3.17.0"}],"aliases":["CVE-2016-10550","GHSA-98pq-pmw9-4gpm"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-55gn-y6w5-fqax"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/39660?format=json","vulnerability_id":"VCID-gdrv-eh82-7ycn","summary":"SQL Injection\nsequelize is vulnerable to SQLi allowing attackers to delete data in the `TestTable` table.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2016-10556","reference_id":"","reference_type":"","scores":[{"value":"0.0022","scoring_system":"epss","scoring_elements":"0.44723","published_at":"2026-06-06T12:55:00Z"},{"value":"0.0022","scoring_system":"epss","scoring_elements":"0.44683","published_at":"2026-06-09T12:55:00Z"},{"value":"0.0022","scoring_system":"epss","scoring_elements":"0.4467","published_at":"2026-06-08T12:55:00Z"},{"value":"0.0022","scoring_system":"epss","scoring_elements":"0.44701","published_at":"2026-06-07T12:55:00Z"},{"value":"0.0022","scoring_system":"epss","scoring_elements":"0.44716","published_at":"2026-06-05T12:55:00Z"},{"value":"0.0022","scoring_system":"epss","scoring_elements":"0.44646","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2016-10556"},{"reference_url":"https://github.com/sequelize/sequelize/commit/23952a2b020cc3571f090e67dae7feb084e1be71","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sequelize/sequelize/commit/23952a2b020cc3571f090e67dae7feb084e1be71"},{"reference_url":"https://github.com/sequelize/sequelize/commits/v3.20.0?after=62e4dacb28a779a190a3e042b971dcd8c7926e49+34&branch=v3.20.0&qualified_name=refs%2Ftags%2Fv3.20.0","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sequelize/sequelize/commits/v3.20.0?after=62e4dacb28a779a190a3e042b971dcd8c7926e49+34&branch=v3.20.0&qualified_name=refs%2Ftags%2Fv3.20.0"},{"reference_url":"https://github.com/sequelize/sequelize/issues/5671","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sequelize/sequelize/issues/5671"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2016-10556","reference_id":"CVE-2016-10556","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2016-10556"},{"reference_url":"https://github.com/advisories/GHSA-9c2p-jw8p-f84v","reference_id":"GHSA-9c2p-jw8p-f84v","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-9c2p-jw8p-f84v"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/52943?format=json","purl":"pkg:npm/sequelize@3.20.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3ugq-njms-xkgd"},{"vulnerability":"VCID-gzz4-8wz6-f3f9"},{"vulnerability":"VCID-hrt8-8z9v-euh8"},{"vulnerability":"VCID-qraw-us96-3qej"},{"vulnerability":"VCID-tccv-wk5y-jkde"},{"vulnerability":"VCID-tufw-g33p-qqds"},{"vulnerability":"VCID-uuy7-v2qy-yfhv"},{"vulnerability":"VCID-v4z6-u42c-ukbh"},{"vulnerability":"VCID-zk15-66xk-2ydf"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/sequelize@3.20.0"}],"aliases":["CVE-2016-10556","GHSA-9c2p-jw8p-f84v"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-gdrv-eh82-7ycn"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/44475?format=json","vulnerability_id":"VCID-gzz4-8wz6-f3f9","summary":"Sequelize information disclosure vulnerability\nDue to improper input filtering in the sequalize js library, can malicious queries lead to sensitive information disclosure.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-22580","reference_id":"","reference_type":"","scores":[{"value":"0.00286","scoring_system":"epss","scoring_elements":"0.52338","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00286","scoring_system":"epss","scoring_elements":"0.5231","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00286","scoring_system":"epss","scoring_elements":"0.52289","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00286","scoring_system":"epss","scoring_elements":"0.52318","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00286","scoring_system":"epss","scoring_elements":"0.52271","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00286","scoring_system":"epss","scoring_elements":"0.52331","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-22580"},{"reference_url":"https://csirt.divd.nl/DIVD-2022-00020","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://csirt.divd.nl/DIVD-2022-00020"},{"reference_url":"https://csirt.divd.nl/DIVD-2022-00020/","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-18T14:49:39Z/"}],"url":"https://csirt.divd.nl/DIVD-2022-00020/"},{"reference_url":"https://github.com/sequelize/sequelize","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sequelize/sequelize"},{"reference_url":"https://github.com/sequelize/sequelize/pull/15375","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sequelize/sequelize/pull/15375"},{"reference_url":"https://github.com/sequelize/sequelize/pull/15699","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sequelize/sequelize/pull/15699"},{"reference_url":"https://github.com/sequelize/sequelize/releases/tag/v6.28.1","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sequelize/sequelize/releases/tag/v6.28.1"},{"reference_url":"https://github.com/sequelize/sequelize/releases/tag/v7.0.0-alpha.20","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sequelize/sequelize/releases/tag/v7.0.0-alpha.20"},{"reference_url":"https://csirt.divd.nl/CVE-2023-22580","reference_id":"CVE-2023-22580","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-18T14:49:39Z/"}],"url":"https://csirt.divd.nl/CVE-2023-22580"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-22580","reference_id":"CVE-2023-22580","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-22580"},{"reference_url":"https://github.com/advisories/GHSA-8c25-f3mj-v6h8","reference_id":"GHSA-8c25-f3mj-v6h8","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-8c25-f3mj-v6h8"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/63970?format=json","purl":"pkg:npm/sequelize@6.28.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-xn4n-x26m-5qdx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/sequelize@6.28.1"},{"url":"http://public2.vulnerablecode.io/api/packages/637922?format=json","purl":"pkg:npm/sequelize@7.0.0-alpha.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/sequelize@7.0.0-alpha.1"},{"url":"http://public2.vulnerablecode.io/api/packages/63971?format=json","purl":"pkg:npm/sequelize@7.0.0-next.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/sequelize@7.0.0-next.1"}],"aliases":["CVE-2023-22580","GHSA-8c25-f3mj-v6h8"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-gzz4-8wz6-f3f9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/38244?format=json","vulnerability_id":"VCID-px1e-wugt-6yhj","summary":"Potential SQL Injection\nSequelize contains a potential SQL injection.","references":[{"reference_url":"https://github.com/sequelize/sequelize/blob/master/changelog.md#300","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/sequelize/sequelize/blob/master/changelog.md#300"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/52950?format=json","purl":"pkg:npm/sequelize@3.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3ugq-njms-xkgd"},{"vulnerability":"VCID-55gn-y6w5-fqax"},{"vulnerability":"VCID-gdrv-eh82-7ycn"},{"vulnerability":"VCID-gzz4-8wz6-f3f9"},{"vulnerability":"VCID-hrt8-8z9v-euh8"},{"vulnerability":"VCID-qraw-us96-3qej"},{"vulnerability":"VCID-rvxy-sfvz-r7bf"},{"vulnerability":"VCID-tccv-wk5y-jkde"},{"vulnerability":"VCID-tufw-g33p-qqds"},{"vulnerability":"VCID-uuy7-v2qy-yfhv"},{"vulnerability":"VCID-v4z6-u42c-ukbh"},{"vulnerability":"VCID-y51v-nwsy-dba4"},{"vulnerability":"VCID-zk15-66xk-2ydf"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/sequelize@3.0.0"}],"aliases":["GMS-2016-81"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-px1e-wugt-6yhj"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/38161?format=json","vulnerability_id":"VCID-qraw-us96-3qej","summary":"SQL Injection via GeoJSON\nSequelizeJS is vulnerable to SQL injection via GeoJSON documents containing a value with a single quote. This vulnerability affects postresql/postgis as well as MySQL.","references":[{"reference_url":"https://github.com/sequelize/sequelize/issues/6194","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/sequelize/sequelize/issues/6194"},{"reference_url":"https://github.com/sequelize/sequelize/pull/6302/commits/f93af43a1d86400487f5e3d9762f1a4b7cf6b1e1","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/sequelize/sequelize/pull/6302/commits/f93af43a1d86400487f5e3d9762f1a4b7cf6b1e1"},{"reference_url":"https://github.com/sequelize/sequelize/pull/6303/commits/a81ac1f38476d553c92d522913e91c6e07acc4fa","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/sequelize/sequelize/pull/6303/commits/a81ac1f38476d553c92d522913e91c6e07acc4fa"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/52835?format=json","purl":"pkg:npm/sequelize@3.23.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3ugq-njms-xkgd"},{"vulnerability":"VCID-gzz4-8wz6-f3f9"},{"vulnerability":"VCID-hrt8-8z9v-euh8"},{"vulnerability":"VCID-tccv-wk5y-jkde"},{"vulnerability":"VCID-tufw-g33p-qqds"},{"vulnerability":"VCID-uuy7-v2qy-yfhv"},{"vulnerability":"VCID-v4z6-u42c-ukbh"},{"vulnerability":"VCID-zk15-66xk-2ydf"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/sequelize@3.23.5"},{"url":"http://public2.vulnerablecode.io/api/packages/205015?format=json","purl":"pkg:npm/sequelize@4.0.0-0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3ugq-njms-xkgd"},{"vulnerability":"VCID-gzz4-8wz6-f3f9"},{"vulnerability":"VCID-tccv-wk5y-jkde"},{"vulnerability":"VCID-uuy7-v2qy-yfhv"},{"vulnerability":"VCID-zk15-66xk-2ydf"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/sequelize@4.0.0-0"}],"aliases":["GMS-2016-41"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-qraw-us96-3qej"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/38236?format=json","vulnerability_id":"VCID-rvxy-sfvz-r7bf","summary":"SQL Injection via LIMIT and ORDER\nIf user input goes into the `limit` or `order` parameters, a malicious user can put in their own SQL statements.","references":[{"reference_url":"https://github.com/sequelize/sequelize/pull/5167/commits/f282d85e60e3df5e57ecdb82adccb4eaef404f03","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/sequelize/sequelize/pull/5167/commits/f282d85e60e3df5e57ecdb82adccb4eaef404f03"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/52938?format=json","purl":"pkg:npm/sequelize@3.17.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3ugq-njms-xkgd"},{"vulnerability":"VCID-gdrv-eh82-7ycn"},{"vulnerability":"VCID-gzz4-8wz6-f3f9"},{"vulnerability":"VCID-hrt8-8z9v-euh8"},{"vulnerability":"VCID-qraw-us96-3qej"},{"vulnerability":"VCID-tccv-wk5y-jkde"},{"vulnerability":"VCID-tufw-g33p-qqds"},{"vulnerability":"VCID-uuy7-v2qy-yfhv"},{"vulnerability":"VCID-v4z6-u42c-ukbh"},{"vulnerability":"VCID-y51v-nwsy-dba4"},{"vulnerability":"VCID-zk15-66xk-2ydf"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/sequelize@3.17.0"}],"aliases":["GMS-2016-76"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-rvxy-sfvz-r7bf"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/30501?format=json","vulnerability_id":"VCID-t3xj-y5v6-j3de","summary":"SQL Injection is possible in an application using the npm module sequelize if untrusted user input is passed into the order parameter.\n\n\nExample:\n```\nTest.findAndCountAll({\nwhere: { id :1 },\norder : [['id', 'UNTRUSTED USER INPUT']]\n})\n```","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2015-1369","reference_id":"","reference_type":"","scores":[{"value":"0.0036","scoring_system":"epss","scoring_elements":"0.58475","published_at":"2026-06-04T12:55:00Z"},{"value":"0.0036","scoring_system":"epss","scoring_elements":"0.58509","published_at":"2026-06-08T12:55:00Z"},{"value":"0.0036","scoring_system":"epss","scoring_elements":"0.58523","published_at":"2026-06-07T12:55:00Z"},{"value":"0.0036","scoring_system":"epss","scoring_elements":"0.58531","published_at":"2026-06-06T12:55:00Z"},{"value":"0.0036","scoring_system":"epss","scoring_elements":"0.58522","published_at":"2026-06-05T12:55:00Z"},{"value":"0.0036","scoring_system":"epss","scoring_elements":"0.58524","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2015-1369"},{"reference_url":"https://github.com/advisories/GHSA-xqg8-cv3h-xppv","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-xqg8-cv3h-xppv"},{"reference_url":"https://github.com/sequelize/sequelize","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sequelize/sequelize"},{"reference_url":"https://github.com/sequelize/sequelize/issues/2906","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sequelize/sequelize/issues/2906"},{"reference_url":"https://github.com/sequelize/sequelize/pull/2919","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sequelize/sequelize/pull/2919"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2015-1369","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2015-1369"},{"reference_url":"https://www.npmjs.com/advisories/33","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.npmjs.com/advisories/33"},{"reference_url":"http://www.openwall.com/lists/oss-security/2015/01/23/2","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2015/01/23/2"},{"reference_url":"https://github.com/nodejs/security-wg/blob/main/vuln/npm/33.json","reference_id":"33","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3","scoring_elements":""}],"url":"https://github.com/nodejs/security-wg/blob/main/vuln/npm/33.json"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/6530?format=json","purl":"pkg:npm/sequelize@2.0.0-rc8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3ugq-njms-xkgd"},{"vulnerability":"VCID-452z-1n62-e7ey"},{"vulnerability":"VCID-55gn-y6w5-fqax"},{"vulnerability":"VCID-gdrv-eh82-7ycn"},{"vulnerability":"VCID-gzz4-8wz6-f3f9"},{"vulnerability":"VCID-px1e-wugt-6yhj"},{"vulnerability":"VCID-qraw-us96-3qej"},{"vulnerability":"VCID-rvxy-sfvz-r7bf"},{"vulnerability":"VCID-tccv-wk5y-jkde"},{"vulnerability":"VCID-tufw-g33p-qqds"},{"vulnerability":"VCID-uuy7-v2qy-yfhv"},{"vulnerability":"VCID-v4z6-u42c-ukbh"},{"vulnerability":"VCID-y51v-nwsy-dba4"},{"vulnerability":"VCID-zk15-66xk-2ydf"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/sequelize@2.0.0-rc8"}],"aliases":["CVE-2015-1369","GHSA-xqg8-cv3h-xppv"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-t3xj-y5v6-j3de"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/41035?format=json","vulnerability_id":"VCID-tccv-wk5y-jkde","summary":"NoSQL Injection in sequelize\nVersions of `sequelize` prior to 4.12.0 are vulnerable to NoSQL Injection. Query operators such as `$gt` are not properly sanitized and may allow an attacker to alter data queries, leading to NoSQL Injection.\n\n\n## Recommendation\n\nUpgrade to version 4.12.0 or later","references":[{"reference_url":"https://github.com/sequelize/sequelize","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sequelize/sequelize"},{"reference_url":"https://github.com/sequelize/sequelize/commit/ccb99daedb69e8750a241436415ccac8abef358d","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sequelize/sequelize/commit/ccb99daedb69e8750a241436415ccac8abef358d"},{"reference_url":"https://github.com/sequelize/sequelize/issues/7310","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sequelize/sequelize/issues/7310"},{"reference_url":"https://github.com/sequelize/sequelize/pull/8240","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sequelize/sequelize/pull/8240"},{"reference_url":"https://snyk.io/vuln/SNYK-JS-SEQUELIZE-174147","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://snyk.io/vuln/SNYK-JS-SEQUELIZE-174147"},{"reference_url":"https://www.npmjs.com/advisories/820","reference_id":"","reference_type":"","scores":[],"url":"https://www.npmjs.com/advisories/820"},{"reference_url":"https://www.npmjs.com/advisories/820/versions","reference_id":"","reference_type":"","scores":[],"url":"https://www.npmjs.com/advisories/820/versions"},{"reference_url":"https://github.com/advisories/GHSA-wfp9-vr4j-f49j","reference_id":"GHSA-wfp9-vr4j-f49j","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-wfp9-vr4j-f49j"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/58139?format=json","purl":"pkg:npm/sequelize@4.12.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3ugq-njms-xkgd"},{"vulnerability":"VCID-gzz4-8wz6-f3f9"},{"vulnerability":"VCID-hnqn-f4z6-m7gf"},{"vulnerability":"VCID-hrt8-8z9v-euh8"},{"vulnerability":"VCID-uuy7-v2qy-yfhv"},{"vulnerability":"VCID-zk15-66xk-2ydf"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/sequelize@4.12.0"}],"aliases":["GHSA-wfp9-vr4j-f49j","GMS-2019-139"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-tccv-wk5y-jkde"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/30535?format=json","vulnerability_id":"VCID-tufw-g33p-qqds","summary":"SQL Injection via GeoJSON\nSequelizeJS 3.23.4 is vulnerable to SQL injection via GeoJSON documents containing a value with a single quote.  This vulnerability affects postresql/postgis as well as MySQL. This vulnerability only exists within GeoJSON documents using the function `ST_GeomFromGeoJSON` for postgresql/postgis and the function `GeomFromText` for mysql. SequelizeJS's `geometry` datatype is vulnerable.  If you have SequelizeJS models with a field that has a datatype of 'Geometry' and run a mysql or postgresql/postgis backend, your application is vulnerable\n\nSequelizeJS is a popular ORM (Object Relational Mapper) for node.  \n\nGeoJSON is a format for encoding a variety of geographic data structures.","references":[{"reference_url":"http://docs.sequelizejs.com/en/latest/api/datatypes/#geometry","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3","scoring_elements":""}],"url":"http://docs.sequelizejs.com/en/latest/api/datatypes/#geometry"},{"reference_url":"http://geojson.org/","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3","scoring_elements":""}],"url":"http://geojson.org/"},{"reference_url":"https://github.com/sequelize/sequelize","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sequelize/sequelize"},{"reference_url":"https://github.com/sequelize/sequelize/commit/14e3deaf3ad27f12900e5275db1d448844c9de3e","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sequelize/sequelize/commit/14e3deaf3ad27f12900e5275db1d448844c9de3e"},{"reference_url":"https://github.com/sequelize/sequelize/commit/18ac91040d9c57351d26ba998f460e214255b704","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sequelize/sequelize/commit/18ac91040d9c57351d26ba998f460e214255b704"},{"reference_url":"https://github.com/sequelize/sequelize/commit/562d52585902090f4e53eb21c61314098c29d795","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sequelize/sequelize/commit/562d52585902090f4e53eb21c61314098c29d795"},{"reference_url":"https://github.com/sequelize/sequelize/commit/f93af43a1d86400487f5e3d9762f1a4b7cf6b1e1","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sequelize/sequelize/commit/f93af43a1d86400487f5e3d9762f1a4b7cf6b1e1"},{"reference_url":"https://github.com/sequelize/sequelize/issues/6194","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3","scoring_elements":""},{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sequelize/sequelize/issues/6194"},{"reference_url":"https://github.com/sequelize/sequelize/pull/6302","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sequelize/sequelize/pull/6302"},{"reference_url":"https://github.com/sequelize/sequelize/pull/6306","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sequelize/sequelize/pull/6306"},{"reference_url":"https://snyk.io/vuln/npm:sequelize:20160718","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://snyk.io/vuln/npm:sequelize:20160718"},{"reference_url":"https://www.npmjs.com/advisories/122","reference_id":"","reference_type":"","scores":[],"url":"https://www.npmjs.com/advisories/122"},{"reference_url":"https://github.com/nodejs/security-wg/blob/main/vuln/npm/122.json","reference_id":"122","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3","scoring_elements":""}],"url":"https://github.com/nodejs/security-wg/blob/main/vuln/npm/122.json"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2016-1000225","reference_id":"CVE-2016-1000225","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2016-1000225"},{"reference_url":"https://github.com/advisories/GHSA-5v9h-q3gj-c32x","reference_id":"GHSA-5v9h-q3gj-c32x","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-5v9h-q3gj-c32x"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/6575?format=json","purl":"pkg:npm/sequelize@3.23.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3ugq-njms-xkgd"},{"vulnerability":"VCID-gzz4-8wz6-f3f9"},{"vulnerability":"VCID-hrt8-8z9v-euh8"},{"vulnerability":"VCID-tccv-wk5y-jkde"},{"vulnerability":"VCID-uuy7-v2qy-yfhv"},{"vulnerability":"VCID-v4z6-u42c-ukbh"},{"vulnerability":"VCID-zk15-66xk-2ydf"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/sequelize@3.23.6"}],"aliases":["CVE-2016-1000225","GHSA-5v9h-q3gj-c32x","GMS-2020-770"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-tufw-g33p-qqds"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/53184?format=json","vulnerability_id":"VCID-uuy7-v2qy-yfhv","summary":"Denial of Service in sequelize\nVersions of `sequelize` prior to 4.44.4 are vulnerable to Denial of Service (DoS). The SQLite dialect fails to catch a `TypeError` exception for the `results` variable. The `results` value may be undefined and trigger the error on a `.map` call. This may allow attackers to submit malicious input that forces the exception and crashes the Node process.  \n\nThe following proof-of-concept crashes the Node process:  \n```\nconst Sequelize = require('sequelize');\n\nconst sequelize = new Sequelize({\n\tdialect: 'sqlite',\n\tstorage: 'database.sqlite'\n});\n\nconst TypeError = sequelize.define('TypeError', {\n\tname: Sequelize.STRING,\n});\n\nTypeError.sync({force: true}).then(() => {\n\treturn TypeError.create({name: \"SELECT tbl_name FROM sqlite_master\"});\n});\n```\n\n\n## Recommendation\n\nUpgrade to version 4.44.4 or later.","references":[{"reference_url":"https://github.com/sequelize/sequelize/pull/11877","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sequelize/sequelize/pull/11877"},{"reference_url":"https://www.npmjs.com/advisories/1142","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.npmjs.com/advisories/1142"},{"reference_url":"https://github.com/advisories/GHSA-fw4p-36j9-rrj3","reference_id":"GHSA-fw4p-36j9-rrj3","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-fw4p-36j9-rrj3"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/78218?format=json","purl":"pkg:npm/sequelize@4.44.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3ugq-njms-xkgd"},{"vulnerability":"VCID-gzz4-8wz6-f3f9"},{"vulnerability":"VCID-zk15-66xk-2ydf"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/sequelize@4.44.4"}],"aliases":["GHSA-fw4p-36j9-rrj3","GMS-2020-771"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-uuy7-v2qy-yfhv"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/51967?format=json","vulnerability_id":"VCID-v4z6-u42c-ukbh","summary":"sequelize allows attackers to perform a SQL Injection due to the JSON path keys not being properly sanitized in the Postgres dialect.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-10749","reference_id":"","reference_type":"","scores":[{"value":"0.00357","scoring_system":"epss","scoring_elements":"0.58258","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00357","scoring_system":"epss","scoring_elements":"0.58308","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00357","scoring_system":"epss","scoring_elements":"0.58304","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00357","scoring_system":"epss","scoring_elements":"0.58315","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00357","scoring_system":"epss","scoring_elements":"0.58307","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00357","scoring_system":"epss","scoring_elements":"0.58289","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-10749"},{"reference_url":"https://github.com/sequelize/sequelize/commit/ee4017379db0059566ecb5424274ad4e2d66bc68","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sequelize/sequelize/commit/ee4017379db0059566ecb5424274ad4e2d66bc68"},{"reference_url":"https://snyk.io/vuln/SNYK-JS-SEQUELIZE-450222","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://snyk.io/vuln/SNYK-JS-SEQUELIZE-450222"},{"reference_url":"https://www.npmjs.com/advisories/1017","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.npmjs.com/advisories/1017"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2019-10749","reference_id":"CVE-2019-10749","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-10749"},{"reference_url":"https://github.com/advisories/GHSA-2598-2f59-rmhq","reference_id":"GHSA-2598-2f59-rmhq","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-2598-2f59-rmhq"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/76121?format=json","purl":"pkg:npm/sequelize@3.35.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3ugq-njms-xkgd"},{"vulnerability":"VCID-gzz4-8wz6-f3f9"},{"vulnerability":"VCID-uuy7-v2qy-yfhv"},{"vulnerability":"VCID-zk15-66xk-2ydf"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/sequelize@3.35.1"}],"aliases":["CVE-2019-10749","GHSA-2598-2f59-rmhq"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-v4z6-u42c-ukbh"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/38239?format=json","vulnerability_id":"VCID-y51v-nwsy-dba4","summary":"Improper Escaping of Bound Arrays\nIn Postgres, SQLite, and Microsoft SQL Server there is an issue where arrays are treated as strings and improperly escaped.","references":[{"reference_url":"https://github.com/sequelize/sequelize/issues/5671","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/sequelize/sequelize/issues/5671"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/52943?format=json","purl":"pkg:npm/sequelize@3.20.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3ugq-njms-xkgd"},{"vulnerability":"VCID-gzz4-8wz6-f3f9"},{"vulnerability":"VCID-hrt8-8z9v-euh8"},{"vulnerability":"VCID-qraw-us96-3qej"},{"vulnerability":"VCID-tccv-wk5y-jkde"},{"vulnerability":"VCID-tufw-g33p-qqds"},{"vulnerability":"VCID-uuy7-v2qy-yfhv"},{"vulnerability":"VCID-v4z6-u42c-ukbh"},{"vulnerability":"VCID-zk15-66xk-2ydf"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/sequelize@3.20.0"}],"aliases":["GMS-2016-78"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-y51v-nwsy-dba4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/44506?format=json","vulnerability_id":"VCID-zk15-66xk-2ydf","summary":"Sequelize vulnerable to SQL Injection via replacements\nSequelize is a Node.js ORM tool. In versions prior to 6.19.1 a SQL injection exploit exists related to replacements. Parameters which are passed through replacements are not properly escaped which can lead to arbitrary SQL injection depending on the specific queries in use. The issue has been fixed in Sequelize 6.19.1. Users are advised to upgrade. Users unable to upgrade should not use the `replacements` and the `where` option in the same query.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-25813","reference_id":"","reference_type":"","scores":[{"value":"0.03518","scoring_system":"epss","scoring_elements":"0.87891","published_at":"2026-06-09T12:55:00Z"},{"value":"0.03518","scoring_system":"epss","scoring_elements":"0.87853","published_at":"2026-06-04T12:55:00Z"},{"value":"0.03518","scoring_system":"epss","scoring_elements":"0.87875","published_at":"2026-06-05T12:55:00Z"},{"value":"0.03518","scoring_system":"epss","scoring_elements":"0.87877","published_at":"2026-06-07T12:55:00Z"},{"value":"0.03518","scoring_system":"epss","scoring_elements":"0.87879","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-25813"},{"reference_url":"https://github.com/sequelize/sequelize","reference_id":"","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sequelize/sequelize"},{"reference_url":"https://github.com/sequelize/sequelize/commit/ccaa3996047fe00048d5993ab2dd43ebadd4f78b","reference_id":"","reference_type":"","scores":[{"value":"10","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-03-10T21:02:23Z/"}],"url":"https://github.com/sequelize/sequelize/commit/ccaa3996047fe00048d5993ab2dd43ebadd4f78b"},{"reference_url":"https://github.com/sequelize/sequelize/issues/14519","reference_id":"","reference_type":"","scores":[{"value":"10","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-03-10T21:02:23Z/"}],"url":"https://github.com/sequelize/sequelize/issues/14519"},{"reference_url":"https://github.com/sequelize/sequelize/releases/tag/v6.19.1","reference_id":"","reference_type":"","scores":[{"value":"10","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-03-10T21:02:23Z/"}],"url":"https://github.com/sequelize/sequelize/releases/tag/v6.19.1"},{"reference_url":"https://security.snyk.io/vuln/SNYK-JS-SEQUELIZE-2932027","reference_id":"","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.snyk.io/vuln/SNYK-JS-SEQUELIZE-2932027"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-25813","reference_id":"CVE-2023-25813","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-25813"},{"reference_url":"https://github.com/advisories/GHSA-wrh9-cjv3-2hpw","reference_id":"GHSA-wrh9-cjv3-2hpw","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-wrh9-cjv3-2hpw"},{"reference_url":"https://github.com/sequelize/sequelize/security/advisories/GHSA-wrh9-cjv3-2hpw","reference_id":"GHSA-wrh9-cjv3-2hpw","reference_type":"","scores":[{"value":"10","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-03-10T21:02:23Z/"}],"url":"https://github.com/sequelize/sequelize/security/advisories/GHSA-wrh9-cjv3-2hpw"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/64029?format=json","purl":"pkg:npm/sequelize@6.19.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3ugq-njms-xkgd"},{"vulnerability":"VCID-gzz4-8wz6-f3f9"},{"vulnerability":"VCID-xn4n-x26m-5qdx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/sequelize@6.19.1"}],"aliases":["CVE-2023-25813","GHSA-wrh9-cjv3-2hpw"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-zk15-66xk-2ydf"}],"fixing_vulnerabilities":[],"risk_score":"4.5","resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/sequelize@1.7.0-beta8"}