Homepage

sequelize@6.37.6

Sequelize is a promise-based Node.js ORM tool for Postgres, MySQL, MariaDB, SQLite, Microsoft SQL Server, Amazon Redshift and Snowflake’s Data Cloud. It features solid transaction support, relations, eager and lazy loading, read replication and more.

  • latest version

    6.37.8

  • latest non vulnerable version

    7.0.0-next.1

  • first published

    14 years ago

  • latest version published

    1 months ago

  • licenses detected

  • View sequelize package health on Snyk  (opens in a new tab)
    • Go back to all versions of this package
    Report a new vulnerability Found a mistake?

    Direct Vulnerabilities

    Known vulnerabilities in the sequelize package. This does not include vulnerabilities belonging to this package’s dependencies.

    Fix vulnerabilities automatically

    Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

    Fix for free
    VulnerabilityVulnerable Version
    • H
    SQL Injection

    sequelize is a promise-based Node.js ORM for Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server.

    Affected versions of this package are vulnerable to SQL Injection via the _traverseJSON() function, which escapes JSON path values but not cast types (after the :: operator). An attacker can read data from arbitrary database tables by injecting malicious SQL in JSON object keys in a WHERE clause.

    How to fix SQL Injection?

    Upgrade sequelize to version 6.37.8 or higher.

    >=6.0.0-beta.1 <6.37.8
    Go back to all versions of this package