CVE-2016-10553

EPSS 0.27%

Potential SQL Injection in sequelize

Published: 2/18/2019Modified: 11/8/2023

Description

Affected versions of `sequelize` are vulnerable to SQL Injection when user input is passed into `findOne` or into a statement such as `where: "user input"`. ## Recommendation Update to version 3.0.0 or later. Version 3.0.0 will introduce a number of breaking changes. Thankfully, the project authors have provided a 2.x -> 3.x [upgrade guide](https://github.com/sequelize/sequelize/wiki/Upgrade-from-2.0-to-3.0) to ease this transition. If upgrading is not an option, it is also possible to mitigate this by ensuring that all uses of `where: "input"` and `findOne("input")` are properly sanitized, such as by the use of a wrapper function.

Affected packages (1)

npm/sequelizefrom 0, < 3.0.0

References (4)

ADVISORYhttps://github.com/advisories/GHSA-2v7q-2xqx-f4q5
ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2016-10553
WEBhttps://github.com/sequelize/sequelize/blob/master/changelog.md#300
WEBhttps://www.npmjs.com/advisories/109