Hash Injection Affecting sequelize package, versions <4.12.0
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-SEQUELIZE-174147
- published 7 Apr 2019
- disclosed 1 Mar 2017
- credit Egor Homakov
How to fix?
Upgrade sequelize to version 4.12.0 or higher.
Overview
sequelize is a promise-based Node.js ORM for Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server.
Affected versions of this package are vulnerable to Hash Injection. Using specially crafted requests an attacker can bypass secret_token protections on websites using sequalize.
For example:
db.Token.findOne({
where: {
token: req.query.token
}
);
Node.js and other platforms allow nested parameters, i.e. token[$gt]=1 will be transformed into token = {"$gt":1}. When such a hash is passed into sequalize it will consider it a query (greater than 1) and find the first token in the DB, bypassing security of this endpoint.