Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/52942?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/52942?format=api", "purl": "pkg:npm/sequelize@3.19.3", "type": "npm", "namespace": "", "name": "sequelize", "version": "3.19.3", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "6.37.8", "latest_non_vulnerable_version": "7.0.0-next.1", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/44469?format=api", "vulnerability_id": "VCID-3ugq-njms-xkgd", "summary": "Unsafe fall-through in getWhereConditions\nDue to improper parameter filtering in the sequalize js library, can a attacker peform injection.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-22579", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.004", "scoring_system": "epss", "scoring_elements": "0.61085", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.004", "scoring_system": "epss", "scoring_elements": "0.61082", "published_at": "2026-06-09T12:55:00Z" }, { "value": "0.004", "scoring_system": "epss", "scoring_elements": "0.61063", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.004", "scoring_system": "epss", "scoring_elements": "0.61081", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.004", "scoring_system": "epss", "scoring_elements": "0.61036", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.004", "scoring_system": "epss", "scoring_elements": "0.61092", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-22579" }, { "reference_url": "https://csirt.divd.nl/DIVD-2022-00020", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://csirt.divd.nl/DIVD-2022-00020" }, { "reference_url": "https://csirt.divd.nl/DIVD-2022-00020/", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-03-18T14:45:28Z/" } ], "url": "https://csirt.divd.nl/DIVD-2022-00020/" }, { "reference_url": "https://github.com/sequelize/sequelize", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sequelize/sequelize" }, { "reference_url": "https://github.com/sequelize/sequelize/discussions/15698", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sequelize/sequelize/discussions/15698" }, { "reference_url": "https://github.com/sequelize/sequelize/pull/15375", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sequelize/sequelize/pull/15375" }, { "reference_url": "https://github.com/sequelize/sequelize/pull/15699", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sequelize/sequelize/pull/15699" }, { "reference_url": "https://github.com/sequelize/sequelize/releases/tag/v6.28.1", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sequelize/sequelize/releases/tag/v6.28.1" }, { "reference_url": "https://github.com/sequelize/sequelize/releases/tag/v7.0.0-alpha.20", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sequelize/sequelize/releases/tag/v7.0.0-alpha.20" }, { "reference_url": "https://csirt.divd.nl/CVE-2023-22579", "reference_id": "CVE-2023-22579", "reference_type": "", "scores": [ { "value": "9.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-03-18T14:45:28Z/" } ], "url": "https://csirt.divd.nl/CVE-2023-22579" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22579", "reference_id": "CVE-2023-22579", "reference_type": "", "scores": [ { "value": "9.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22579" }, { "reference_url": "https://github.com/advisories/GHSA-vqfx-gj96-3w95", "reference_id": "GHSA-vqfx-gj96-3w95", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-vqfx-gj96-3w95" }, { "reference_url": "https://github.com/sequelize/sequelize/security/advisories/GHSA-vqfx-gj96-3w95", "reference_id": "GHSA-vqfx-gj96-3w95", "reference_type": "", "scores": [ { "value": "9.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sequelize/sequelize/security/advisories/GHSA-vqfx-gj96-3w95" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/63970?format=api", "purl": "pkg:npm/sequelize@6.28.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-xn4n-x26m-5qdx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/sequelize@6.28.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/637922?format=api", "purl": "pkg:npm/sequelize@7.0.0-alpha.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/sequelize@7.0.0-alpha.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/63971?format=api", "purl": "pkg:npm/sequelize@7.0.0-next.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/sequelize@7.0.0-next.1" } ], "aliases": [ "CVE-2023-22579", "GHSA-vqfx-gj96-3w95" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-3ugq-njms-xkgd" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/39660?format=api", "vulnerability_id": "VCID-gdrv-eh82-7ycn", "summary": "SQL Injection\nsequelize is vulnerable to SQLi allowing attackers to delete data in the `TestTable` table.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2016-10556", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0022", "scoring_system": "epss", "scoring_elements": "0.44723", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.0022", "scoring_system": "epss", "scoring_elements": "0.44683", "published_at": "2026-06-09T12:55:00Z" }, { "value": "0.0022", "scoring_system": "epss", "scoring_elements": "0.4467", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.0022", "scoring_system": "epss", "scoring_elements": "0.44701", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.0022", "scoring_system": "epss", "scoring_elements": "0.44716", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.0022", "scoring_system": "epss", "scoring_elements": "0.44646", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2016-10556" }, { "reference_url": "https://github.com/sequelize/sequelize/commit/23952a2b020cc3571f090e67dae7feb084e1be71", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sequelize/sequelize/commit/23952a2b020cc3571f090e67dae7feb084e1be71" }, { "reference_url": "https://github.com/sequelize/sequelize/commits/v3.20.0?after=62e4dacb28a779a190a3e042b971dcd8c7926e49+34&branch=v3.20.0&qualified_name=refs%2Ftags%2Fv3.20.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sequelize/sequelize/commits/v3.20.0?after=62e4dacb28a779a190a3e042b971dcd8c7926e49+34&branch=v3.20.0&qualified_name=refs%2Ftags%2Fv3.20.0" }, { "reference_url": "https://github.com/sequelize/sequelize/issues/5671", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sequelize/sequelize/issues/5671" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2016-10556", "reference_id": "CVE-2016-10556", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-10556" }, { "reference_url": "https://github.com/advisories/GHSA-9c2p-jw8p-f84v", "reference_id": "GHSA-9c2p-jw8p-f84v", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-9c2p-jw8p-f84v" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/52943?format=api", "purl": "pkg:npm/sequelize@3.20.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3ugq-njms-xkgd" }, { "vulnerability": "VCID-gzz4-8wz6-f3f9" }, { "vulnerability": "VCID-hrt8-8z9v-euh8" }, { "vulnerability": "VCID-qraw-us96-3qej" }, { "vulnerability": "VCID-tccv-wk5y-jkde" }, { "vulnerability": "VCID-tufw-g33p-qqds" }, { "vulnerability": "VCID-uuy7-v2qy-yfhv" }, { "vulnerability": "VCID-v4z6-u42c-ukbh" }, { "vulnerability": "VCID-zk15-66xk-2ydf" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/sequelize@3.20.0" } ], "aliases": [ "CVE-2016-10556", "GHSA-9c2p-jw8p-f84v" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-gdrv-eh82-7ycn" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/44475?format=api", "vulnerability_id": "VCID-gzz4-8wz6-f3f9", "summary": "Sequelize information disclosure vulnerability\nDue to improper input filtering in the sequalize js library, can malicious queries lead to sensitive information disclosure.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-22580", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00286", "scoring_system": "epss", "scoring_elements": "0.52338", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00286", "scoring_system": "epss", "scoring_elements": "0.5231", "published_at": "2026-06-09T12:55:00Z" }, { "value": "0.00286", "scoring_system": "epss", "scoring_elements": "0.52289", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00286", "scoring_system": "epss", "scoring_elements": "0.52318", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00286", "scoring_system": "epss", "scoring_elements": "0.52271", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.00286", "scoring_system": "epss", "scoring_elements": "0.52331", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-22580" }, { "reference_url": "https://csirt.divd.nl/DIVD-2022-00020", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://csirt.divd.nl/DIVD-2022-00020" }, { "reference_url": "https://csirt.divd.nl/DIVD-2022-00020/", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-18T14:49:39Z/" } ], "url": "https://csirt.divd.nl/DIVD-2022-00020/" }, { "reference_url": "https://github.com/sequelize/sequelize", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sequelize/sequelize" }, { "reference_url": "https://github.com/sequelize/sequelize/pull/15375", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sequelize/sequelize/pull/15375" }, { "reference_url": "https://github.com/sequelize/sequelize/pull/15699", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sequelize/sequelize/pull/15699" }, { "reference_url": "https://github.com/sequelize/sequelize/releases/tag/v6.28.1", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sequelize/sequelize/releases/tag/v6.28.1" }, { "reference_url": "https://github.com/sequelize/sequelize/releases/tag/v7.0.0-alpha.20", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sequelize/sequelize/releases/tag/v7.0.0-alpha.20" }, { "reference_url": "https://csirt.divd.nl/CVE-2023-22580", "reference_id": "CVE-2023-22580", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-18T14:49:39Z/" } ], "url": "https://csirt.divd.nl/CVE-2023-22580" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22580", "reference_id": "CVE-2023-22580", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22580" }, { "reference_url": "https://github.com/advisories/GHSA-8c25-f3mj-v6h8", "reference_id": "GHSA-8c25-f3mj-v6h8", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-8c25-f3mj-v6h8" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/63970?format=api", "purl": "pkg:npm/sequelize@6.28.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-xn4n-x26m-5qdx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/sequelize@6.28.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/637922?format=api", "purl": "pkg:npm/sequelize@7.0.0-alpha.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/sequelize@7.0.0-alpha.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/63971?format=api", "purl": "pkg:npm/sequelize@7.0.0-next.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/sequelize@7.0.0-next.1" } ], "aliases": [ "CVE-2023-22580", "GHSA-8c25-f3mj-v6h8" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-gzz4-8wz6-f3f9" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/51965?format=api", "vulnerability_id": "VCID-hrt8-8z9v-euh8", "summary": "Sequelize all versions prior are vulnerable to SQL Injection due to JSON path keys not being properly escaped for the MySQL/MariaDB dialects.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2019-10748", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00427", "scoring_system": "epss", "scoring_elements": "0.62795", "published_at": "2026-06-09T12:55:00Z" }, { "value": "0.00427", "scoring_system": "epss", "scoring_elements": "0.62781", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00427", "scoring_system": "epss", "scoring_elements": "0.62752", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.00427", "scoring_system": "epss", "scoring_elements": "0.62796", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00427", "scoring_system": "epss", "scoring_elements": "0.62805", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2019-10748" }, { "reference_url": "https://github.com/sequelize/sequelize/commit/a72a3f5,", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sequelize/sequelize/commit/a72a3f5," }, { "reference_url": "https://github.com/sequelize/sequelize/pull/11089,", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sequelize/sequelize/pull/11089," }, { "reference_url": "https://snyk.io/vuln/SNYK-JS-SEQUELIZE-450221", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://snyk.io/vuln/SNYK-JS-SEQUELIZE-450221" }, { "reference_url": "https://www.npmjs.com/advisories/1018", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.npmjs.com/advisories/1018" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10748", "reference_id": "CVE-2019-10748", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10748" }, { "reference_url": "https://github.com/advisories/GHSA-j9xp-92vc-559j", "reference_id": "GHSA-j9xp-92vc-559j", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-j9xp-92vc-559j" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/76121?format=api", "purl": "pkg:npm/sequelize@3.35.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3ugq-njms-xkgd" }, { "vulnerability": "VCID-gzz4-8wz6-f3f9" }, { "vulnerability": "VCID-uuy7-v2qy-yfhv" }, { "vulnerability": "VCID-zk15-66xk-2ydf" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/sequelize@3.35.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/76081?format=api", "purl": "pkg:npm/sequelize@4.44.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3ugq-njms-xkgd" }, { "vulnerability": "VCID-gzz4-8wz6-f3f9" }, { "vulnerability": "VCID-uuy7-v2qy-yfhv" }, { "vulnerability": "VCID-zk15-66xk-2ydf" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/sequelize@4.44.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/76120?format=api", "purl": "pkg:npm/sequelize@5.8.11", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3ugq-njms-xkgd" }, { "vulnerability": "VCID-gzz4-8wz6-f3f9" }, { "vulnerability": "VCID-hnqn-f4z6-m7gf" }, { "vulnerability": "VCID-hrt8-8z9v-euh8" }, { "vulnerability": "VCID-zk15-66xk-2ydf" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/sequelize@5.8.11" }, { "url": "http://public2.vulnerablecode.io/api/packages/76122?format=api", "purl": "pkg:npm/sequelize@5.8.12", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3ugq-njms-xkgd" }, { "vulnerability": "VCID-gzz4-8wz6-f3f9" }, { "vulnerability": "VCID-hnqn-f4z6-m7gf" }, { "vulnerability": "VCID-zk15-66xk-2ydf" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/sequelize@5.8.12" } ], "aliases": [ "CVE-2019-10748", "GHSA-j9xp-92vc-559j" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-hrt8-8z9v-euh8" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/38161?format=api", "vulnerability_id": "VCID-qraw-us96-3qej", "summary": "SQL Injection via GeoJSON\nSequelizeJS is vulnerable to SQL injection via GeoJSON documents containing a value with a single quote. This vulnerability affects postresql/postgis as well as MySQL.", "references": [ { "reference_url": "https://github.com/sequelize/sequelize/issues/6194", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/sequelize/sequelize/issues/6194" }, { "reference_url": "https://github.com/sequelize/sequelize/pull/6302/commits/f93af43a1d86400487f5e3d9762f1a4b7cf6b1e1", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/sequelize/sequelize/pull/6302/commits/f93af43a1d86400487f5e3d9762f1a4b7cf6b1e1" }, { "reference_url": "https://github.com/sequelize/sequelize/pull/6303/commits/a81ac1f38476d553c92d522913e91c6e07acc4fa", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/sequelize/sequelize/pull/6303/commits/a81ac1f38476d553c92d522913e91c6e07acc4fa" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/52835?format=api", "purl": "pkg:npm/sequelize@3.23.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3ugq-njms-xkgd" }, { "vulnerability": "VCID-gzz4-8wz6-f3f9" }, { "vulnerability": "VCID-hrt8-8z9v-euh8" }, { "vulnerability": "VCID-tccv-wk5y-jkde" }, { "vulnerability": "VCID-tufw-g33p-qqds" }, { "vulnerability": "VCID-uuy7-v2qy-yfhv" }, { "vulnerability": "VCID-v4z6-u42c-ukbh" }, { "vulnerability": "VCID-zk15-66xk-2ydf" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/sequelize@3.23.5" }, { "url": "http://public2.vulnerablecode.io/api/packages/205015?format=api", "purl": "pkg:npm/sequelize@4.0.0-0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3ugq-njms-xkgd" }, { "vulnerability": "VCID-gzz4-8wz6-f3f9" }, { "vulnerability": "VCID-tccv-wk5y-jkde" }, { "vulnerability": "VCID-uuy7-v2qy-yfhv" }, { "vulnerability": "VCID-zk15-66xk-2ydf" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/sequelize@4.0.0-0" } ], "aliases": [ "GMS-2016-41" ], "risk_score": null, "exploitability": "0.5", "weighted_severity": "0.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-qraw-us96-3qej" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/41035?format=api", "vulnerability_id": "VCID-tccv-wk5y-jkde", "summary": "NoSQL Injection in sequelize\nVersions of `sequelize` prior to 4.12.0 are vulnerable to NoSQL Injection. Query operators such as `$gt` are not properly sanitized and may allow an attacker to alter data queries, leading to NoSQL Injection.\n\n\n## Recommendation\n\nUpgrade to version 4.12.0 or later", "references": [ { "reference_url": "https://github.com/sequelize/sequelize", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sequelize/sequelize" }, { "reference_url": "https://github.com/sequelize/sequelize/commit/ccb99daedb69e8750a241436415ccac8abef358d", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sequelize/sequelize/commit/ccb99daedb69e8750a241436415ccac8abef358d" }, { "reference_url": "https://github.com/sequelize/sequelize/issues/7310", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sequelize/sequelize/issues/7310" }, { "reference_url": "https://github.com/sequelize/sequelize/pull/8240", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sequelize/sequelize/pull/8240" }, { "reference_url": "https://snyk.io/vuln/SNYK-JS-SEQUELIZE-174147", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://snyk.io/vuln/SNYK-JS-SEQUELIZE-174147" }, { "reference_url": "https://www.npmjs.com/advisories/820", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.npmjs.com/advisories/820" }, { "reference_url": "https://www.npmjs.com/advisories/820/versions", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.npmjs.com/advisories/820/versions" }, { "reference_url": "https://github.com/advisories/GHSA-wfp9-vr4j-f49j", "reference_id": "GHSA-wfp9-vr4j-f49j", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-wfp9-vr4j-f49j" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/58139?format=api", "purl": "pkg:npm/sequelize@4.12.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3ugq-njms-xkgd" }, { "vulnerability": "VCID-gzz4-8wz6-f3f9" }, { "vulnerability": "VCID-hnqn-f4z6-m7gf" }, { "vulnerability": "VCID-hrt8-8z9v-euh8" }, { "vulnerability": "VCID-uuy7-v2qy-yfhv" }, { "vulnerability": "VCID-zk15-66xk-2ydf" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/sequelize@4.12.0" } ], "aliases": [ "GHSA-wfp9-vr4j-f49j", "GMS-2019-139" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-tccv-wk5y-jkde" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/30535?format=api", "vulnerability_id": "VCID-tufw-g33p-qqds", "summary": "SQL Injection via GeoJSON\nSequelizeJS 3.23.4 is vulnerable to SQL injection via GeoJSON documents containing a value with a single quote. This vulnerability affects postresql/postgis as well as MySQL. This vulnerability only exists within GeoJSON documents using the function `ST_GeomFromGeoJSON` for postgresql/postgis and the function `GeomFromText` for mysql. SequelizeJS's `geometry` datatype is vulnerable. If you have SequelizeJS models with a field that has a datatype of 'Geometry' and run a mysql or postgresql/postgis backend, your application is vulnerable\n\nSequelizeJS is a popular ORM (Object Relational Mapper) for node. \n\nGeoJSON is a format for encoding a variety of geographic data structures.", "references": [ { "reference_url": "http://docs.sequelizejs.com/en/latest/api/datatypes/#geometry", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3", "scoring_elements": "" } ], "url": "http://docs.sequelizejs.com/en/latest/api/datatypes/#geometry" }, { "reference_url": "http://geojson.org/", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3", "scoring_elements": "" } ], "url": "http://geojson.org/" }, { "reference_url": "https://github.com/sequelize/sequelize", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sequelize/sequelize" }, { "reference_url": "https://github.com/sequelize/sequelize/commit/14e3deaf3ad27f12900e5275db1d448844c9de3e", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sequelize/sequelize/commit/14e3deaf3ad27f12900e5275db1d448844c9de3e" }, { "reference_url": "https://github.com/sequelize/sequelize/commit/18ac91040d9c57351d26ba998f460e214255b704", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sequelize/sequelize/commit/18ac91040d9c57351d26ba998f460e214255b704" }, { "reference_url": "https://github.com/sequelize/sequelize/commit/562d52585902090f4e53eb21c61314098c29d795", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sequelize/sequelize/commit/562d52585902090f4e53eb21c61314098c29d795" }, { "reference_url": "https://github.com/sequelize/sequelize/commit/f93af43a1d86400487f5e3d9762f1a4b7cf6b1e1", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sequelize/sequelize/commit/f93af43a1d86400487f5e3d9762f1a4b7cf6b1e1" }, { "reference_url": "https://github.com/sequelize/sequelize/issues/6194", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3", "scoring_elements": "" }, { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sequelize/sequelize/issues/6194" }, { "reference_url": "https://github.com/sequelize/sequelize/pull/6302", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sequelize/sequelize/pull/6302" }, { "reference_url": "https://github.com/sequelize/sequelize/pull/6306", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sequelize/sequelize/pull/6306" }, { "reference_url": "https://snyk.io/vuln/npm:sequelize:20160718", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://snyk.io/vuln/npm:sequelize:20160718" }, { "reference_url": "https://www.npmjs.com/advisories/122", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.npmjs.com/advisories/122" }, { "reference_url": "https://github.com/nodejs/security-wg/blob/main/vuln/npm/122.json", "reference_id": "122", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3", "scoring_elements": "" } ], "url": "https://github.com/nodejs/security-wg/blob/main/vuln/npm/122.json" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2016-1000225", "reference_id": "CVE-2016-1000225", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-1000225" }, { "reference_url": "https://github.com/advisories/GHSA-5v9h-q3gj-c32x", "reference_id": "GHSA-5v9h-q3gj-c32x", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-5v9h-q3gj-c32x" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/6575?format=api", "purl": "pkg:npm/sequelize@3.23.6", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3ugq-njms-xkgd" }, { "vulnerability": "VCID-gzz4-8wz6-f3f9" }, { "vulnerability": "VCID-hrt8-8z9v-euh8" }, { "vulnerability": "VCID-tccv-wk5y-jkde" }, { "vulnerability": "VCID-uuy7-v2qy-yfhv" }, { "vulnerability": "VCID-v4z6-u42c-ukbh" }, { "vulnerability": "VCID-zk15-66xk-2ydf" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/sequelize@3.23.6" } ], "aliases": [ "CVE-2016-1000225", "GHSA-5v9h-q3gj-c32x", "GMS-2020-770" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-tufw-g33p-qqds" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/53184?format=api", "vulnerability_id": "VCID-uuy7-v2qy-yfhv", "summary": "Denial of Service in sequelize\nVersions of `sequelize` prior to 4.44.4 are vulnerable to Denial of Service (DoS). The SQLite dialect fails to catch a `TypeError` exception for the `results` variable. The `results` value may be undefined and trigger the error on a `.map` call. This may allow attackers to submit malicious input that forces the exception and crashes the Node process. \n\nThe following proof-of-concept crashes the Node process: \n```\nconst Sequelize = require('sequelize');\n\nconst sequelize = new Sequelize({\n\tdialect: 'sqlite',\n\tstorage: 'database.sqlite'\n});\n\nconst TypeError = sequelize.define('TypeError', {\n\tname: Sequelize.STRING,\n});\n\nTypeError.sync({force: true}).then(() => {\n\treturn TypeError.create({name: \"SELECT tbl_name FROM sqlite_master\"});\n});\n```\n\n\n## Recommendation\n\nUpgrade to version 4.44.4 or later.", "references": [ { "reference_url": "https://github.com/sequelize/sequelize/pull/11877", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sequelize/sequelize/pull/11877" }, { "reference_url": "https://www.npmjs.com/advisories/1142", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.npmjs.com/advisories/1142" }, { "reference_url": "https://github.com/advisories/GHSA-fw4p-36j9-rrj3", "reference_id": "GHSA-fw4p-36j9-rrj3", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-fw4p-36j9-rrj3" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/78218?format=api", "purl": "pkg:npm/sequelize@4.44.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3ugq-njms-xkgd" }, { "vulnerability": "VCID-gzz4-8wz6-f3f9" }, { "vulnerability": "VCID-zk15-66xk-2ydf" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/sequelize@4.44.4" } ], "aliases": [ "GHSA-fw4p-36j9-rrj3", "GMS-2020-771" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-uuy7-v2qy-yfhv" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/51967?format=api", "vulnerability_id": "VCID-v4z6-u42c-ukbh", "summary": "sequelize allows attackers to perform a SQL Injection due to the JSON path keys not being properly sanitized in the Postgres dialect.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2019-10749", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00357", "scoring_system": "epss", "scoring_elements": "0.58258", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.00357", "scoring_system": "epss", "scoring_elements": "0.58308", "published_at": "2026-06-09T12:55:00Z" }, { "value": "0.00357", "scoring_system": "epss", "scoring_elements": "0.58304", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00357", "scoring_system": "epss", "scoring_elements": "0.58315", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00357", "scoring_system": "epss", "scoring_elements": "0.58307", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00357", "scoring_system": "epss", "scoring_elements": "0.58289", "published_at": "2026-06-08T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2019-10749" }, { "reference_url": "https://github.com/sequelize/sequelize/commit/ee4017379db0059566ecb5424274ad4e2d66bc68", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sequelize/sequelize/commit/ee4017379db0059566ecb5424274ad4e2d66bc68" }, { "reference_url": "https://snyk.io/vuln/SNYK-JS-SEQUELIZE-450222", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://snyk.io/vuln/SNYK-JS-SEQUELIZE-450222" }, { "reference_url": "https://www.npmjs.com/advisories/1017", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.npmjs.com/advisories/1017" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10749", "reference_id": "CVE-2019-10749", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10749" }, { "reference_url": "https://github.com/advisories/GHSA-2598-2f59-rmhq", "reference_id": "GHSA-2598-2f59-rmhq", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-2598-2f59-rmhq" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/76121?format=api", "purl": "pkg:npm/sequelize@3.35.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3ugq-njms-xkgd" }, { "vulnerability": "VCID-gzz4-8wz6-f3f9" }, { "vulnerability": "VCID-uuy7-v2qy-yfhv" }, { "vulnerability": "VCID-zk15-66xk-2ydf" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/sequelize@3.35.1" } ], "aliases": [ "CVE-2019-10749", "GHSA-2598-2f59-rmhq" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-v4z6-u42c-ukbh" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/38239?format=api", "vulnerability_id": "VCID-y51v-nwsy-dba4", "summary": "Improper Escaping of Bound Arrays\nIn Postgres, SQLite, and Microsoft SQL Server there is an issue where arrays are treated as strings and improperly escaped.", "references": [ { "reference_url": "https://github.com/sequelize/sequelize/issues/5671", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/sequelize/sequelize/issues/5671" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/52943?format=api", "purl": "pkg:npm/sequelize@3.20.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3ugq-njms-xkgd" }, { "vulnerability": "VCID-gzz4-8wz6-f3f9" }, { "vulnerability": "VCID-hrt8-8z9v-euh8" }, { "vulnerability": "VCID-qraw-us96-3qej" }, { "vulnerability": "VCID-tccv-wk5y-jkde" }, { "vulnerability": "VCID-tufw-g33p-qqds" }, { "vulnerability": "VCID-uuy7-v2qy-yfhv" }, { "vulnerability": "VCID-v4z6-u42c-ukbh" }, { "vulnerability": "VCID-zk15-66xk-2ydf" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/sequelize@3.20.0" } ], "aliases": [ "GMS-2016-78" ], "risk_score": null, "exploitability": "0.5", "weighted_severity": "0.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-y51v-nwsy-dba4" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/44506?format=api", "vulnerability_id": "VCID-zk15-66xk-2ydf", "summary": "Sequelize vulnerable to SQL Injection via replacements\nSequelize is a Node.js ORM tool. In versions prior to 6.19.1 a SQL injection exploit exists related to replacements. Parameters which are passed through replacements are not properly escaped which can lead to arbitrary SQL injection depending on the specific queries in use. The issue has been fixed in Sequelize 6.19.1. Users are advised to upgrade. Users unable to upgrade should not use the `replacements` and the `where` option in the same query.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-25813", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.03518", "scoring_system": "epss", "scoring_elements": "0.87891", "published_at": "2026-06-09T12:55:00Z" }, { "value": "0.03518", "scoring_system": "epss", "scoring_elements": "0.87853", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.03518", "scoring_system": "epss", "scoring_elements": "0.87875", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.03518", "scoring_system": "epss", "scoring_elements": "0.87877", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.03518", "scoring_system": "epss", "scoring_elements": "0.87879", "published_at": "2026-06-08T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-25813" }, { "reference_url": "https://github.com/sequelize/sequelize", "reference_id": "", "reference_type": "", "scores": [ { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sequelize/sequelize" }, { "reference_url": "https://github.com/sequelize/sequelize/commit/ccaa3996047fe00048d5993ab2dd43ebadd4f78b", "reference_id": "", "reference_type": "", "scores": [ { "value": "10", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-03-10T21:02:23Z/" } ], "url": "https://github.com/sequelize/sequelize/commit/ccaa3996047fe00048d5993ab2dd43ebadd4f78b" }, { "reference_url": "https://github.com/sequelize/sequelize/issues/14519", "reference_id": "", "reference_type": "", "scores": [ { "value": "10", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-03-10T21:02:23Z/" } ], "url": "https://github.com/sequelize/sequelize/issues/14519" }, { "reference_url": "https://github.com/sequelize/sequelize/releases/tag/v6.19.1", "reference_id": "", "reference_type": "", "scores": [ { "value": "10", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-03-10T21:02:23Z/" } ], "url": "https://github.com/sequelize/sequelize/releases/tag/v6.19.1" }, { "reference_url": "https://security.snyk.io/vuln/SNYK-JS-SEQUELIZE-2932027", "reference_id": "", "reference_type": "", "scores": [ { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://security.snyk.io/vuln/SNYK-JS-SEQUELIZE-2932027" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25813", "reference_id": "CVE-2023-25813", "reference_type": "", "scores": [ { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25813" }, { "reference_url": "https://github.com/advisories/GHSA-wrh9-cjv3-2hpw", "reference_id": "GHSA-wrh9-cjv3-2hpw", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-wrh9-cjv3-2hpw" }, { "reference_url": "https://github.com/sequelize/sequelize/security/advisories/GHSA-wrh9-cjv3-2hpw", "reference_id": "GHSA-wrh9-cjv3-2hpw", "reference_type": "", "scores": [ { "value": "10", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-03-10T21:02:23Z/" } ], "url": "https://github.com/sequelize/sequelize/security/advisories/GHSA-wrh9-cjv3-2hpw" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/64029?format=api", "purl": "pkg:npm/sequelize@6.19.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3ugq-njms-xkgd" }, { "vulnerability": "VCID-gzz4-8wz6-f3f9" }, { "vulnerability": "VCID-xn4n-x26m-5qdx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/sequelize@6.19.1" } ], "aliases": [ "CVE-2023-25813", "GHSA-wrh9-cjv3-2hpw" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-zk15-66xk-2ydf" } ], "fixing_vulnerabilities": [], "risk_score": "4.5", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/sequelize@3.19.3" }