CVE-2016-10554

EPSS 0.49%

SQL Injection in sequelize

Published: 2/18/2019Modified: 11/8/2023

Description

Affected versions of `sequelize` use MySQL's backslash-based escape syntax when connecting to SQLite, despite the fact that SQLite uses PostgreSQL's escape syntax, which can result in a SQL Injection vulnerability. ## Recommendation Update to version 1.7.0-alpha3 or later.

Affected packages (1)

npm/sequelizefrom 0, < 1.7.0

References (4)

ADVISORYhttps://github.com/advisories/GHSA-x2jc-pwfj-h9p3
ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2016-10554
WEBhttps://github.com/sequelize/sequelize/commit/c876192aa6ce1f67e22b26a4d175b8478615f42d
WEBhttps://www.npmjs.com/advisories/113