CVE-2023-25813

CRITICAL10.0EPSS 3.5%

Sequelize vulnerable to SQL Injection via replacements

發布日:2023/2/22修改日:2023/11/8

描述

### Impact The SQL injection exploit is related to replacements. Here is such an example: In the following query, some parameters are passed through replacements, and some are passed directly through the `where` option. ```typescript User.findAll({ where: or( literal('soundex("firstName") = soundex(:firstName)'), { lastName: lastName }, ), replacements: { firstName }, }) ``` This is a very legitimate use case, but this query was vulnerable to SQL injection due to how Sequelize processed the query: Sequelize built a first query using the `where` option, then passed it over to `sequelize.query` which parsed the resulting SQL to inject all `:replacements`. If the user passed values such as ```json { "firstName": "OR true; DROP TABLE users;", "lastName": ":firstName" } ``` Sequelize would first generate this query: ```sql SELECT * FROM users WHERE soundex("firstName") = soundex(:firstName) OR "lastName" = ':firstName' ``` Then would inject replacements in it, which resulted in this: ```sql SELECT * FROM users WHERE soundex("firstName") = soundex('OR true; DROP TABLE users;') OR "lastName" = ''OR true; DROP TABLE users;'' ``` As you can see this resulted in arbitrary user-provided SQL being executed. ### Patches The issue was fixed in Sequelize 6.19.1 ### Workarounds Do not use the `replacements` and the `where` option in the same query if you are not using Sequelize >= 6.19.1 ### References See this thread for more information: https://github.com/sequelize/sequelize/issues/14519 Snyk: https://security.snyk.io/vuln/SNYK-JS-SEQUELIZE-2932027

受影響套件(1)

npm/sequelizefrom 0, < 6.19.1

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	CRITICAL10.0	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

描述

受影響套件(1)

CVSS 分數

參考連結(7)