sequelize@5.16.0 vulnerabilities

Sequelize is a promise-based Node.js ORM tool for Postgres, MySQL, MariaDB, SQLite, Microsoft SQL Server, Amazon Redshift and Snowflake’s Data Cloud. It features solid transaction support, relations, eager and lazy loading, read replication and more.

latest version

6.37.5
latest non vulnerable version

7.0.0-next.1
first published

14 years ago
latest version published

a month ago
licenses detected
- MIT
  >=0
View sequelize package health on Snyk Advisor Open this link in a new tab

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the sequelize package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability	Vulnerable Version
M Access of Resource Using Incompatible Type ('Type Confusion') sequelize is a promise-based Node.js ORM for Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server. Affected versions of this package are vulnerable to Access of Resource Using Incompatible Type ('Type Confusion') due to improper user-input sanitization, due to unsafe fall-through in `GET WHERE` conditions. How to fix Access of Resource Using Incompatible Type ('Type Confusion')? Upgrade `sequelize` to version 6.28.1 or higher.	<6.28.1
M Information Exposure sequelize is a promise-based Node.js ORM for Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server. Affected versions of this package are vulnerable to Information Exposure due to improper user-input, by allowing an attacker to create malicious queries leading to SQL errors. How to fix Information Exposure? Upgrade `sequelize` to version 6.28.1 or higher.	<6.28.1
H Improper Filtering of Special Elements sequelize is a promise-based Node.js ORM for Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server. Affected versions of this package are vulnerable to Improper Filtering of Special Elements due to attributes not being escaped if they included `(` and `)`, or were equal to `*` and were split if they included the character `.`. How to fix Improper Filtering of Special Elements? Upgrade `sequelize` to version 6.29.0 or higher.	<6.29.0
H SQL Injection sequelize is a promise-based Node.js ORM for Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server. Affected versions of this package are vulnerable to SQL Injection due to an improper escaping for multiple appearances of `$` in a string. How to fix SQL Injection? Upgrade `sequelize` to version 6.21.2 or higher.	<6.21.2
C SQL Injection sequelize is a promise-based Node.js ORM for Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server. Affected versions of this package are vulnerable to SQL Injection via the `replacements` statement. It allowed a malicious actor to pass dangerous values such as `OR true; DROP TABLE` users through replacements which would result in arbitrary SQL execution. How to fix SQL Injection? Upgrade `sequelize` to version 6.19.1 or higher.	<6.19.1

Go back to all versions of this package

sequelize@5.16.0 vulnerabilities

Sequelize is a promise-based Node.js ORM tool for Postgres, MySQL, MariaDB, SQLite, Microsoft SQL Server, Amazon Redshift and Snowflake’s Data Cloud. It features solid transaction support, relations, eager and lazy loading, read replication and more.

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities