sequelize@3.19.3 vulnerabilities

Sequelize is a promise-based Node.js ORM tool for Postgres, MySQL, MariaDB, SQLite, Microsoft SQL Server, Amazon Redshift and Snowflake’s Data Cloud. It features solid transaction support, relations, eager and lazy loading, read replication and more.

  • latest version

    6.37.5

  • latest non vulnerable version

  • first published

    13 years ago

  • latest version published

    1 months ago

  • licenses detected

  • Direct Vulnerabilities

    Known vulnerabilities in the sequelize package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • M
    Access of Resource Using Incompatible Type ('Type Confusion')

    sequelize is a promise-based Node.js ORM for Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server.

    Affected versions of this package are vulnerable to Access of Resource Using Incompatible Type ('Type Confusion') due to improper user-input sanitization, due to unsafe fall-through in GET WHERE conditions.

    How to fix Access of Resource Using Incompatible Type ('Type Confusion')?

    Upgrade sequelize to version 6.28.1 or higher.

    <6.28.1
    • M
    Information Exposure

    sequelize is a promise-based Node.js ORM for Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server.

    Affected versions of this package are vulnerable to Information Exposure due to improper user-input, by allowing an attacker to create malicious queries leading to SQL errors.

    How to fix Information Exposure?

    Upgrade sequelize to version 6.28.1 or higher.

    <6.28.1
    • H
    Improper Filtering of Special Elements

    sequelize is a promise-based Node.js ORM for Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server.

    Affected versions of this package are vulnerable to Improper Filtering of Special Elements due to attributes not being escaped if they included ( and ), or were equal to * and were split if they included the character ..

    How to fix Improper Filtering of Special Elements?

    Upgrade sequelize to version 6.29.0 or higher.

    <6.29.0
    • H
    SQL Injection

    sequelize is a promise-based Node.js ORM for Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server.

    Affected versions of this package are vulnerable to SQL Injection due to an improper escaping for multiple appearances of $ in a string.

    How to fix SQL Injection?

    Upgrade sequelize to version 6.21.2 or higher.

    <6.21.2
    • C
    SQL Injection

    sequelize is a promise-based Node.js ORM for Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server.

    Affected versions of this package are vulnerable to SQL Injection via the replacements statement. It allowed a malicious actor to pass dangerous values such as OR true; DROP TABLE users through replacements which would result in arbitrary SQL execution.

    How to fix SQL Injection?

    Upgrade sequelize to version 6.19.1 or higher.

    <6.19.1
    • M
    Denial of Service (DoS)

    sequelize is a promise-based Node.js ORM for Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server.

    Affected versions of this package are vulnerable to Denial of Service (DoS). The afterResults function for the SQLite dialect fails to catch a TypeError exception for the results variable. This allows attackers to submit malicious input that forces the exception and crashes the Node process.

    How to fix Denial of Service (DoS)?

    Upgrade sequelize to version 4.44.4 or higher.

    <4.44.4
    • H
    SQL Injection

    sequelize is a promise-based Node.js ORM for Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server.

    Affected versions of this package are vulnerable to SQL Injection due to JSON path keys not being properly sanitized in the Postgres dialect.

    How to fix SQL Injection?

    Upgrade sequelize to version 3.35.1 or higher.

    <3.35.1
    • H
    SQL Injection

    sequelize is a promise-based Node.js ORM for Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server.

    Affected versions of this package are vulnerable to SQL Injection due to JSON path keys not being properly escaped for the MySQL/MariaDB dialects.

    How to fix SQL Injection?

    Upgrade sequelize to version 3.35.1, 4.44.3, 5.8.11 or higher.

    >=3.0.0 <3.35.1>=4.0.0 <4.44.3>=5.0.0-0 <5.8.11
    • H
    Hash Injection

    sequelize is a promise-based Node.js ORM for Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server.

    Affected versions of this package are vulnerable to Hash Injection. Using specially crafted requests an attacker can bypass secret_token protections on websites using sequalize.

    For example:

    db.Token.findOne({
          where: {
            token: req.query.token
          }
    );
    

    Node.js and other platforms allow nested parameters, i.e. token[$gt]=1 will be transformed into token = {"$gt":1}. When such a hash is passed into sequalize it will consider it a query (greater than 1) and find the first token in the DB, bypassing security of this endpoint.

    How to fix Hash Injection?

    Upgrade sequelize to version 4.12.0 or higher.

    <4.12.0
    • C
    SQL Injection

    sequelize versions prior to 3.23.6 are vulnerable to SQL injection via GeoJSON documents that contain a value with a single quote. GeoJSON is a format used for encoding a variety of geographic data structures in a standard JSON document. The vulnerability exists within GeoJSON documents using the function ST_GeomFromGeoJSON (for postgresql/postgis) and the function GeomFromText (for mysql).

    Note that sequelize users who do not use these specific functions are not affected. For users who do use these functions, this vulnerability has a high impact and is easily expoited, hence its high severity classification.

    How to fix SQL Injection?

    Upgrade to version 3.23.6 or greater.

    >=3.4.0 <3.23.6
    • M
    SQL Injection

    sequelize versions prior to 3.20.0 improperly escape arrays of strings bound to named parameters.

    How to fix SQL Injection?

    Upgrade to version 3.20.0 or greater.

    <3.20.0