SQL Injection Affecting sequelize Open this link in a new tab package, versions >=0.2.2 <3.13.17

Attack Complexity

Low

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

snyk-id

npm:sequelize:20160106
published

1 Apr 2016
disclosed

6 Jan 2015
credit

Spencer Creasey

Report a new vulnerability Found a mistake?

Introduced: 6 Jan 2015

CWE-89 Open this link in a new tab

How to fix?

Upgrade to version 3.17.0 or greater.

Overview

sequelize versions prior to 3.17.0 are vulnerable to SQL Injection attacks if untrusted user input is passed into the order or limit parameters.

Example

models.User.findAll({
  limit: '1; DELETE FROM "Users" WHERE 1=1; --',
}).then(function (users) {
  console.log(users);
});

References

https://github.com/sequelize/sequelize/pull/5167
https://github.com/sequelize/sequelize/blob/master/changelog.md#3170
https://github.com/sequelize/sequelize/commit/d198d78182cbf1ea3ef1706740b35813a6aa0838

SQL Injection Affecting sequelize Open this link in a new tab package, versions >=0.2.2 <3.13.17

Attack Complexity

snyk-id

published

disclosed

credit

Introduced: 6 Jan 2015

How to fix?

Overview

Example

References