CVE-2016-1000225
CRITICAL9.8SQL Injection via GeoJSON in sequelize
Published: 9/1/2020Modified: 11/8/2023
Also known as:GHSA-5v9h-q3gj-c32x
Description
Affected versions of `sequelize` are vulnerable to SQL Injection in Models that have fields with the `GEOMETRY` DataType. This vulnerability occurs because single quotes in document values are not escaped for GeoJSON documents using `ST_GeomFromGeoJSON`, and MySQL GeoJSON documents using `GeomFromText`. ## Recommendation Update to version 3.23.6 or later.
Affected packages (1)
- npm/sequelize>= 3.4.0, < 3.23.6
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
References (10)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2016-1000225
- PATCHhttps://github.com/sequelize/sequelize
- WEBhttps://github.com/sequelize/sequelize/commit/14e3deaf3ad27f12900e5275db1d448844c9de3e
- WEBhttps://github.com/sequelize/sequelize/commit/18ac91040d9c57351d26ba998f460e214255b704
- WEBhttps://github.com/sequelize/sequelize/commit/562d52585902090f4e53eb21c61314098c29d795
- WEBhttps://github.com/sequelize/sequelize/commit/f93af43a1d86400487f5e3d9762f1a4b7cf6b1e1
- WEBhttps://github.com/sequelize/sequelize/issues/6194
- WEBhttps://github.com/sequelize/sequelize/pull/6302
- WEBhttps://github.com/sequelize/sequelize/pull/6306
- WEBhttps://snyk.io/vuln/npm:sequelize:20160718