sequelize@3.14.2 vulnerabilities

Sequelize is a promise-based Node.js ORM tool for Postgres, MySQL, MariaDB, SQLite, Microsoft SQL Server, Amazon Redshift and Snowflake’s Data Cloud. It features solid transaction support, relations, eager and lazy loading, read replication and more.

Direct Vulnerabilities

Known vulnerabilities in the sequelize package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Access of Resource Using Incompatible Type ('Type Confusion')

sequelize is a promise-based Node.js ORM for Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server.

Affected versions of this package are vulnerable to Access of Resource Using Incompatible Type ('Type Confusion') due to improper user-input sanitization, due to unsafe fall-through in GET WHERE conditions.

How to fix Access of Resource Using Incompatible Type ('Type Confusion')?

Upgrade sequelize to version 6.28.1 or higher.

<6.28.1
  • M
Information Exposure

sequelize is a promise-based Node.js ORM for Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server.

Affected versions of this package are vulnerable to Information Exposure due to improper user-input, by allowing an attacker to create malicious queries leading to SQL errors.

How to fix Information Exposure?

Upgrade sequelize to version 6.28.1 or higher.

<6.28.1
  • H
Improper Filtering of Special Elements

sequelize is a promise-based Node.js ORM for Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server.

Affected versions of this package are vulnerable to Improper Filtering of Special Elements due to attributes not being escaped if they included ( and ), or were equal to * and were split if they included the character ..

How to fix Improper Filtering of Special Elements?

Upgrade sequelize to version 6.29.0 or higher.

<6.29.0
  • H
SQL Injection

sequelize is a promise-based Node.js ORM for Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server.

Affected versions of this package are vulnerable to SQL Injection due to an improper escaping for multiple appearances of $ in a string.

How to fix SQL Injection?

Upgrade sequelize to version 6.21.2 or higher.

<6.21.2
  • C
SQL Injection

sequelize is a promise-based Node.js ORM for Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server.

Affected versions of this package are vulnerable to SQL Injection via the replacements statement. It allowed a malicious actor to pass dangerous values such as OR true; DROP TABLE users through replacements which would result in arbitrary SQL execution.

How to fix SQL Injection?

Upgrade sequelize to version 6.19.1 or higher.

<6.19.1
  • M
Denial of Service (DoS)

sequelize is a promise-based Node.js ORM for Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server.

Affected versions of this package are vulnerable to Denial of Service (DoS). The afterResults function for the SQLite dialect fails to catch a TypeError exception for the results variable. This allows attackers to submit malicious input that forces the exception and crashes the Node process.

How to fix Denial of Service (DoS)?

Upgrade sequelize to version 4.44.4 or higher.

<4.44.4
  • H
SQL Injection

sequelize is a promise-based Node.js ORM for Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server.

Affected versions of this package are vulnerable to SQL Injection due to JSON path keys not being properly sanitized in the Postgres dialect.

How to fix SQL Injection?

Upgrade sequelize to version 3.35.1 or higher.

<3.35.1
  • H
SQL Injection

sequelize is a promise-based Node.js ORM for Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server.

Affected versions of this package are vulnerable to SQL Injection due to JSON path keys not being properly escaped for the MySQL/MariaDB dialects.

How to fix SQL Injection?

Upgrade sequelize to version 3.35.1, 4.44.3, 5.8.11 or higher.

>=3.0.0 <3.35.1 >=4.0.0 <4.44.3 >=5.0.0-0 <5.8.11
  • H
Hash Injection

sequelize is a promise-based Node.js ORM for Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server.

Affected versions of this package are vulnerable to Hash Injection. Using specially crafted requests an attacker can bypass secret_token protections on websites using sequalize.

For example:

db.Token.findOne({
      where: {
        token: req.query.token
      }
);

Node.js and other platforms allow nested parameters, i.e. token[$gt]=1 will be transformed into token = {"$gt":1}. When such a hash is passed into sequalize it will consider it a query (greater than 1) and find the first token in the DB, bypassing security of this endpoint.

How to fix Hash Injection?

Upgrade sequelize to version 4.12.0 or higher.

<4.12.0
  • C
SQL Injection

sequelize versions prior to 3.23.6 are vulnerable to SQL injection via GeoJSON documents that contain a value with a single quote. GeoJSON is a format used for encoding a variety of geographic data structures in a standard JSON document. The vulnerability exists within GeoJSON documents using the function ST_GeomFromGeoJSON (for postgresql/postgis) and the function GeomFromText (for mysql).

Note that sequelize users who do not use these specific functions are not affected. For users who do use these functions, this vulnerability has a high impact and is easily expoited, hence its high severity classification.

How to fix SQL Injection?

Upgrade to version 3.23.6 or greater.

>=3.4.0 <3.23.6
  • M
Remote Memory Exposure

A potential memory disclosure vulnerability exists in sequelize versions prior to 3.17.2. A field of type DataTypes.BLOB can be used to expose sensitive information such as code, runtime memory and user data into the database.

Details

sequelize uses the Buffer type to represent DataTypes.BLOB. Initializing a Buffer with integer N creates a Buffer of length N with non zero-ed out memory. Example:

var x = new Buffer(100); // uninitialized Buffer of length 100
// vs
var x = new Buffer('100'); // initialized Buffer with value of '100'

Initializing a BLOB field in such manner will dump uninitialized memory into the database. The patch wraps Buffer field initialization in sequelize by converting a number value N to a string, initializing the Buffer with N in its ascii form.

#

Proof of concept

var Sequelize = require('sequelize');
var sequelize = new Sequelize('pastebin', null, null,
    { host: '127.0.0.1', dialect: 'postgres', });

var Task = sequelize.define('Pastebin', {
    title: Sequelize.STRING,
    content: Sequelize.BLOB,
  });

Task.create({
  title: 'title',
  content: 100,
}).then(function (task) {
  console.log(task.title);
  console.log(task.content); // will print out 100 bytes of previously used memory
});

How to fix Remote Memory Exposure?

Upgrade sequelize to version >= 3.17.3

<3.17.2
  • M
SQL Injection

sequelize versions prior to 3.20.0 improperly escape arrays of strings bound to named parameters.

How to fix SQL Injection?

Upgrade to version 3.20.0 or greater.

<3.20.0