Hash Injection Affecting sequelize package, versions <4.12.0


Severity

Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Proof of concept

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Hash Injection vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-JS-SEQUELIZE-174147
  • published7 Apr 2019
  • disclosed1 Mar 2017
  • creditEgor Homakov

Introduced: 1 Mar 2017

CVE NOT AVAILABLE CWE-77  (opens in a new tab)

How to fix?

Upgrade sequelize to version 4.12.0 or higher.

Overview

sequelize is a promise-based Node.js ORM for Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server.

Affected versions of this package are vulnerable to Hash Injection. Using specially crafted requests an attacker can bypass secret_token protections on websites using sequalize.

For example:

db.Token.findOne({
      where: {
        token: req.query.token
      }
);

Node.js and other platforms allow nested parameters, i.e. token[$gt]=1 will be transformed into token = {"$gt":1}. When such a hash is passed into sequalize it will consider it a query (greater than 1) and find the first token in the DB, bypassing security of this endpoint.

CVSS Scores

version 3.1