Snyk Security Database

sequelize is a promise-based Node.js ORM for Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server.

Affected versions of this package are vulnerable to SQL Injection via the _traverseJSON() function, which escapes JSON path values but not cast types (after the :: operator). An attacker can read data from arbitrary database tables by injecting malicious SQL in JSON object keys in a WHERE clause.

dbt-common is a The shared common utilities that dbt-core and adapter implementations use

Affected versions of this package are vulnerable to Directory Traversal via the safe_extract function. An attacker can write files outside the intended extraction directory by supplying a malicious tarball archive that exploits character-based path prefix validation. The only target paths that can be written to are ones that share a prefix with valid paths.

Affected versions of this package are vulnerable to Infinite loop in the FileTypeParser class. This is triggered when the ASF (WMV/WMA) parser receives input including an ASF sub-header with a size value of 0. An attacker can interrupt service with a 55-byte payload.