SQL Injection Affecting sequelize package, versions >=3.4.0 <3.23.6


0.0
critical

Snyk CVSS

    Attack Complexity Low
    Confidentiality High
    Integrity High
    Availability High

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID npm:sequelize:20160718
  • published 18 Jul 2016
  • disclosed 20 Jul 2016
  • credit contra

How to fix?

Upgrade to version 3.23.6 or greater.

Overview

sequelize versions prior to 3.23.6 are vulnerable to SQL injection via GeoJSON documents that contain a value with a single quote. GeoJSON is a format used for encoding a variety of geographic data structures in a standard JSON document. The vulnerability exists within GeoJSON documents using the function ST_GeomFromGeoJSON (for postgresql/postgis) and the function GeomFromText (for mysql).

Note that sequelize users who do not use these specific functions are not affected. For users who do use these functions, this vulnerability has a high impact and is easily expoited, hence its high severity classification.