CVE-2019-10752
CRITICAL9.8EPSS 0.43%SQL Injection in sequelize
Published: 10/25/2019Modified: 11/13/2024
Also known as:GHSA-m9jw-237r-gvfv
Description
Affected versions of `sequelize` are vulnerable to SQL Injection. The function `sequelize.json()` incorrectly formatted sub paths for JSON queries, which allows attackers to inject SQL statements and execute arbitrary SQL queries if user input is passed to the query. Exploitation example: ```js return User.findAll({ where: this.sequelize.json("data.id')) AS DECIMAL) = 1 DELETE YOLO INJECTIONS; -- ", 1) }); ``` ## Recommendation If you are using `sequelize` 5.x, upgrade to version 5.15.1 or later. If you are using `sequelize` 4.x, upgrade to version 4.44.3 or later.
Affected packages (1)
- npm/sequelizefrom 0, < 4.44.3
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
References (7)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2019-10752
- WEBhttps://github.com/sequelize/sequelize/commit/9bd0bc1,
- WEBhttps://github.com/sequelize/sequelize/commit/9bd0bc111b6f502223edf7e902680f7cc2ed541e
- WEBhttps://github.com/sequelize/sequelize/pull/11329
- WEBhttps://snyk.io/vuln/SNYK-JS-SEQUELIZE-459751
- WEBhttps://snyk.io/vuln/SNYK-JS-SEQUELIZE-459751,
- WEBhttps://www.npmjs.com/advisories/1146