sequelize@1.6.0 vulnerabilities

Sequelize is a promise-based Node.js ORM tool for Postgres, MySQL, MariaDB, SQLite, Microsoft SQL Server, Amazon Redshift and Snowflake’s Data Cloud. It features solid transaction support, relations, eager and lazy loading, read replication and more.

Direct Vulnerabilities

Known vulnerabilities in the sequelize package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • H
SQL Injection

sequelize is a promise-based Node.js ORM for Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server.

Affected versions of this package are vulnerable to SQL Injection due to an improper escaping for multiple appearances of $ in a string.

How to fix SQL Injection?

Upgrade sequelize to version 6.21.2 or higher.

<6.21.2
  • C
SQL Injection

sequelize is a promise-based Node.js ORM for Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server.

Affected versions of this package are vulnerable to SQL Injection via the replacements statement. It allowed a malicious actor to pass dangerous values such as OR true; DROP TABLE users through replacements which would result in arbitrary SQL execution.

How to fix SQL Injection?

Upgrade sequelize to version 6.19.1 or higher.

<6.19.1
  • M
Denial of Service (DoS)

sequelize is a promise-based Node.js ORM for Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server.

Affected versions of this package are vulnerable to Denial of Service (DoS). The afterResults function for the SQLite dialect fails to catch a TypeError exception for the results variable. This allows attackers to submit malicious input that forces the exception and crashes the Node process.

How to fix Denial of Service (DoS)?

Upgrade sequelize to version 4.44.4 or higher.

<4.44.4
  • H
SQL Injection

sequelize is a promise-based Node.js ORM for Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server.

Affected versions of this package are vulnerable to SQL Injection due to JSON path keys not being properly sanitized in the Postgres dialect.

How to fix SQL Injection?

Upgrade sequelize to version 3.35.1 or higher.

<3.35.1
  • H
Hash Injection

sequelize is a promise-based Node.js ORM for Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server.

Affected versions of this package are vulnerable to Hash Injection. Using specially crafted requests an attacker can bypass secret_token protections on websites using sequalize.

For example:

db.Token.findOne({
      where: {
        token: req.query.token
      }
);

Node.js and other platforms allow nested parameters, i.e. token[$gt]=1 will be transformed into token = {"$gt":1}. When such a hash is passed into sequalize it will consider it a query (greater than 1) and find the first token in the DB, bypassing security of this endpoint.

How to fix Hash Injection?

Upgrade sequelize to version 4.12.0 or higher.

<4.12.0
  • M
SQL Injection

sequelize is a multi dialect ORM for Node.JS/io.js. Affected versions of the package are vulnerable to SQL Injection via the user search by typing the name they want to search for and the application then executes:

User.findAll( { where: { name: req.body.name } } )

a malicious attacker may exploit this to find the users password by entering $password$. This could be avoided by specifying the exact column to search: the user column.

How to fix SQL Injection?

Upgrade sequelize to version 3.12.1 or higher.

<3.12.1
  • M
SQL Injection

sequelize versions prior to 1.7.0-alpha3 are vulnerable to SQL Injection attacks if untrusted user input is passed into the order parameter.

How to fix SQL Injection?

Upgrade to version 1.7.0-alpha3 or greater.

>=0.2.2 <1.7.0-alpha3
  • M
SQL Injection

Beginning with sequelize version 3.0.0, two security related changes were introduced:

  • findOne no longer takes a string / integer / binary argument to represent a primaryKey. Use findById instead.
  • where: "raw query" is no longer legal, you must now explicitly use where: ["raw query", [replacements]]

How to fix SQL Injection?

Upgrade to version 3.0.0 or greater.

<2.1.4
  • M
Remote Memory Exposure

A potential memory disclosure vulnerability exists in sequelize versions prior to 3.17.2. A field of type DataTypes.BLOB can be used to expose sensitive information such as code, runtime memory and user data into the database.

Details

sequelize uses the Buffer type to represent DataTypes.BLOB. Initializing a Buffer with integer N creates a Buffer of length N with non zero-ed out memory. Example:

var x = new Buffer(100); // uninitialized Buffer of length 100
// vs
var x = new Buffer('100'); // initialized Buffer with value of '100'

Initializing a BLOB field in such manner will dump uninitialized memory into the database. The patch wraps Buffer field initialization in sequelize by converting a number value N to a string, initializing the Buffer with N in its ascii form.

#

Proof of concept

var Sequelize = require('sequelize');
var sequelize = new Sequelize('pastebin', null, null,
    { host: '127.0.0.1', dialect: 'postgres', });

var Task = sequelize.define('Pastebin', {
    title: Sequelize.STRING,
    content: Sequelize.BLOB,
  });

Task.create({
  title: 'title',
  content: 100,
}).then(function (task) {
  console.log(task.title);
  console.log(task.content); // will print out 100 bytes of previously used memory
});

How to fix Remote Memory Exposure?

Upgrade sequelize to version >= 3.17.3

<3.17.2
  • M
SQL Injection

sequelize versions prior to 3.20.0 improperly escape arrays of strings bound to named parameters.

How to fix SQL Injection?

Upgrade to version 3.20.0 or greater.

<3.20.0
  • H
SQL Injection

sequelize versions prior to 3.17.0 are vulnerable to SQL Injection attacks if untrusted user input is passed into the order or limit parameters.

How to fix SQL Injection?

Upgrade to version 3.17.0 or greater.

>=0.2.2 <3.13.17
  • H
SQL Injection

sequelize versions prior to 2.0.0-rc7 are vulnerable to SQL Injection attacks if untrusted user input is passed into the order parameter.

How to fix SQL Injection?

Upgrade to version 2.0.0-rc8 or greater.

<2.0.0-rc8