SQL Injection The advisory has been revoked - it doesn't affect any version of package sequelize  (opens in a new tab)


Threat Intelligence

EPSS
0.18% (56th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about SQL Injection vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDnpm:sequelize:20150517
  • published1 Apr 2016
  • disclosed17 May 2015
  • creditUnknown

Introduced: 17 May 2015

CVE-2016-10553  (opens in a new tab)
CWE-89  (opens in a new tab)

How to fix?

Upgrade to version 3.0.0 or greater.

Overview

Beginning with sequelize version 3.0.0, two security related changes were introduced:

  • findOne no longer takes a string / integer / binary argument to represent a primaryKey. Use findById instead.
  • where: "raw query" is no longer legal, you must now explicitly use where: ["raw query", [replacements]]