sequelize@4.43.2 vulnerabilities

Sequelize is a promise-based Node.js ORM tool for Postgres, MySQL, MariaDB, SQLite, Microsoft SQL Server, Amazon Redshift and Snowflake’s Data Cloud. It features solid transaction support, relations, eager and lazy loading, read replication and more.

Direct Vulnerabilities

Known vulnerabilities in the sequelize package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • H
SQL Injection

sequelize is a promise-based Node.js ORM for Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server.

Affected versions of this package are vulnerable to SQL Injection due to an improper escaping for multiple appearances of $ in a string.

How to fix SQL Injection?

Upgrade sequelize to version 6.21.2 or higher.

<6.21.2
  • C
SQL Injection

sequelize is a promise-based Node.js ORM for Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server.

Affected versions of this package are vulnerable to SQL Injection via the replacements statement. It allowed a malicious actor to pass dangerous values such as OR true; DROP TABLE users through replacements which would result in arbitrary SQL execution.

How to fix SQL Injection?

Upgrade sequelize to version 6.19.1 or higher.

<6.19.1
  • M
Denial of Service (DoS)

sequelize is a promise-based Node.js ORM for Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server.

Affected versions of this package are vulnerable to Denial of Service (DoS). The afterResults function for the SQLite dialect fails to catch a TypeError exception for the results variable. This allows attackers to submit malicious input that forces the exception and crashes the Node process.

How to fix Denial of Service (DoS)?

Upgrade sequelize to version 4.44.4 or higher.

<4.44.4
  • H
SQL Injection

sequelize is a promise-based Node.js ORM for Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server.

Affected versions of this package are vulnerable to SQL Injection due to sequelize.json() helper function not escaping values properly when formatting sub paths for JSON queries for MySQL, MariaDB and SQLite.

How to fix SQL Injection?

Upgrade sequelize to version 4.44.3, 5.15.1 or higher.

>=4.0.0 <4.44.3 >=5.0.0-0 <5.15.1
  • H
SQL Injection

sequelize is a promise-based Node.js ORM for Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server.

Affected versions of this package are vulnerable to SQL Injection due to JSON path keys not being properly escaped for the MySQL/MariaDB dialects.

How to fix SQL Injection?

Upgrade sequelize to version 3.35.1, 4.44.3, 5.8.11 or higher.

>=3.0.0 <3.35.1 >=4.0.0 <4.44.3 >=5.0.0-0 <5.8.11