Remote Memory Exposure Affecting sequelize Open this link in a new tab package, versions <3.17.2

  • Attack Complexity


Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • snyk-id


  • published

    1 Apr 2016

  • disclosed

    15 Jan 2016

How to fix?

Upgrade sequelize to version >= 3.17.3


A potential memory disclosure vulnerability exists in sequelize versions prior to 3.17.2. A field of type DataTypes.BLOB can be used to expose sensitive information such as code, runtime memory and user data into the database.


sequelize uses the Buffer type to represent DataTypes.BLOB. Initializing a Buffer with integer N creates a Buffer of length N with non zero-ed out memory. Example:

var x = new Buffer(100); // uninitialized Buffer of length 100
// vs
var x = new Buffer('100'); // initialized Buffer with value of '100'

Initializing a BLOB field in such manner will dump uninitialized memory into the database. The patch wraps Buffer field initialization in sequelize by converting a number value N to a string, initializing the Buffer with N in its ascii form.


Proof of concept

var Sequelize = require('sequelize');
var sequelize = new Sequelize('pastebin', null, null,
    { host: '', dialect: 'postgres', });

var Task = sequelize.define('Pastebin', { title: Sequelize.STRING, content: Sequelize.BLOB, });

Task.create({ title: 'title', content: 100, }).then(function (task) { console.log(task.title); console.log(task.content); // will print out 100 bytes of previously used memory });