NodeJS/sequelize/6.15.0

Sequelize is a promise-based Node.js ORM tool for Postgres, MySQL, MariaDB, SQLite, Microsoft SQL Server, Amazon Redshift and Snowflake’s Data Cloud. It features solid transaction support, relations, eager and lazy loading, read replication and more.

https://www.npmjs.com/package/sequelize
MIT

5 Security Vulnerabilities

Sequelize information disclosure vulnerability

Published date: 2023-02-16T15:30:28Z
CVE: CVE-2023-22580
Links:

Due to improper input filtering in the sequelize js library, can malicious queries lead to sensitive information disclosure.

Affected versions: ["0.2.5", "0.3.0", "0.4.3", "1.0.0", "1.1.1", "1.1.2", "1.1.4", "1.2.0", "1.3.1", "1.3.3", "1.3.5", "1.3.7", "1.5.0-beta", "1.5.0-beta-2", "1.5.0", "1.6.0-beta-2", "1.6.0-beta-3", "1.6.0", "1.7.0-alpha3", "1.7.0-beta.0", "2.0.0-beta.0", "1.7.0-beta.3b", "1.7.0-beta.4a", "2.0.0-beta.6", "1.7.0-beta7", "2.0.0-beta.8", "1.7.0-beta8", "2.0.0-dev1", "2.0.0-dev2", "1.7.0-rc3", "2.0.0-dev3", "1.7.0-rc6", "2.0.0-dev6", "2.0.0-dev7", "1.7.0-rc7", "1.7.0-rc8", "1.7.0", "1.7.1", "1.7.2", "1.7.7", "1.7.8", "1.7.10", "2.0.0-rc1", "2.0.0-rc5", "2.0.0-rc6", "2.0.0-rc7", "2.0.2", "2.0.5", "2.0.6", "2.1.0", "2.1.1", "3.0.0", "3.1.0", "3.1.1", "3.2.0", "3.3.0", "3.3.1", "3.3.2", "3.4.0", "3.4.1", "3.6.0", "3.7.0", "3.7.1", "3.8.0", "3.10.0", "3.12.0", "3.12.1", "3.12.2", "3.14.0", "3.14.2", "3.15.0", "3.15.1", "3.16.0", "3.17.0", "3.17.1", "3.17.3", "3.19.1", "3.19.2", "3.21.0", "3.23.2", "4.0.0-0", "3.23.4", "3.23.6", "3.24.1", "3.24.2", "4.0.0-2", "3.24.6", "3.24.7", "3.25.0", "3.25.1", "3.27.0", "3.29.0", "3.30.0", "4.0.0", "4.2.0", "4.3.2", "4.4.5", "4.4.7", "4.4.8", "4.4.10", "4.7.0", "4.7.1", "4.8.0", "4.10.0", "4.10.1", "4.10.3", "4.11.1", "4.11.2", "4.11.6", "4.13.2", "4.13.5", "4.13.9", "4.13.12", "4.13.14", "4.13.16", "4.14.0", "4.15.2", "4.16.2", "4.17.0", "4.17.1", "4.20.0", "4.21.0", "4.22.0", "4.22.1", "4.22.2", "4.22.4", "4.22.5", "4.22.10", "4.22.12", "4.22.14", "4.22.15", "4.23.1", "3.31.0", "4.23.4", "3.31.1", "4.24.0", "4.25.0", "4.28.0", "4.28.2", "4.28.3", "4.28.4", "4.28.6", "4.28.7", "4.28.8", "4.31.2", "4.32.0", "4.32.2", "4.32.7", "4.33.0", "3.31.2", "4.33.4", "4.34.1", "4.35.1", "4.35.3", "4.35.4", "4.36.0", "4.36.1", "4.37.0", "4.37.4", "5.0.0-beta", "4.37.5", "5.0.0-beta.2", "5.0.0-beta.4", "3.33.0", "4.37.9", "5.0.0-beta.7", "5.0.0-beta.8", "5.0.0-beta.9", "5.0.0-beta.10", "5.0.0-beta.11", "5.0.0-beta.12", "4.38.1", "4.39.0", "4.41.0", "4.41.1", "4.41.2", "5.0.0-beta.15", "3.34.0", "4.42.1", "4.43.0", "5.1.0", "5.1.1", "5.2.0", "5.2.2", "5.2.4", "5.2.5", "5.2.7", "4.43.1", "5.2.8", "5.2.9", "5.2.10", "5.2.11", "5.2.12", "5.3.4", "5.3.5", "4.43.2", "5.4.0", "5.6.0", "5.6.1", "5.7.1", "5.7.2", "5.8.0", "5.8.1", "5.8.2", "5.8.4", "5.8.5", "6.0.0-beta.1", "3.35.0", "3.35.1", "5.8.11", "5.8.12", "5.9.2", "4.44.1", "5.9.3", "5.9.4", "5.10.1", "5.10.2", "5.12.0", "5.13.0", "5.13.1", "5.14.0", "5.16.0", "5.17.0", "5.17.1", "5.18.1", "5.19.2", "5.19.8", "5.20.0", "5.21.0", "5.21.1", "6.0.0-beta.3", "5.21.2", "6.0.0-beta.4", "6.0.0-beta.5", "5.21.7", "5.21.8", "6.0.0-beta.6", "5.21.10", "5.21.11", "5.21.12", "6.0.0-beta.7", "5.22.0", "6.1.0", "5.22.1", "5.22.2", "6.2.1", "6.2.2", "5.22.3", "6.2.4", "6.3.0", "6.3.2", "6.3.4", "6.3.5", "0.2.2", "0.2.3", "0.2.4", "0.2.6", "0.4.0", "0.4.1", "0.4.2", "1.0.1", "1.0.2", "1.1.0", "1.1.3", "1.2.1", "1.3.0", "1.3.2", "1.3.4", "1.3.6", "1.4.0", "1.4.1", "1.5.0-alpha", "1.6.0-alpha-1", "1.6.0-alpha-2", "1.6.0-alpha-3", "1.6.0-beta-1", "1.6.0-beta4", "1.7.0-alpha1", "1.7.0-alpha2", "2.0.0-alpha1", "2.0.0-alpha2", "2.0.0-alpha3", "1.7.0-beta.1", "2.0.0-beta.1", "1.7.0-beta.2", "2.0.0-beta.2", "2.0.0-beta.3", "2.0.0-beta.4", "1.7.0-beta.5", "2.0.0-beta.5", "1.7.0-beta6", "2.0.0-beta.7", "1.7.0-rc1", "1.7.0-rc2", "1.7.0-rc4", "2.0.0-dev4", "2.0.0-dev5", "1.7.0-rc5", "2.0.0-dev8", "1.7.0-rc9", "2.0.0-dev9", "1.7.3", "1.7.4", "1.7.5", "1.7.9", "2.0.0-rc2", "2.0.0-rc3", "2.0.0-rc4", "2.0.0-rc8", "2.0.0", "2.0.1", "2.0.3", "2.0.4", "2.1.2", "2.1.3", "3.0.1", "1.7.11", "3.5.0", "3.5.1", "3.9.0", "3.11.0", "3.13.0", "3.14.1", "3.17.2", "3.18.0", "3.19.0", "3.19.3", "3.20.0", "3.22.0", "3.23.0", "3.23.1", "3.23.3", "3.23.5", "3.24.0", "4.0.0-1", "3.24.3", "3.24.4", "3.24.5", "3.24.8", "3.26.0", "3.28.0", "3.30.1", "3.30.2", "3.30.3", "3.30.4", "4.1.0", "4.2.1", "4.3.0", "4.3.1", "4.4.0", "4.4.1", "4.4.2", "4.4.3", "4.4.4", "4.4.6", "4.4.9", "4.5.0", "4.6.0", "4.7.2", "4.7.3", "4.7.4", "4.7.5", "4.8.1", "4.8.2", "4.8.3", "4.8.4", "4.9.0", "4.10.2", "4.11.0", "4.11.3", "4.11.4", "4.11.5", "4.11.7", "4.12.0", "4.13.0", "4.13.1", "4.13.3", "4.13.4", "4.13.6", "4.13.7", "4.13.8", "4.13.10", "4.13.11", "4.13.13", "4.13.15", "4.13.17", "4.15.0", "4.15.1", "4.16.0", "4.16.1", "4.17.2", "4.18.0", "4.19.0", "4.20.1", "4.20.2", "4.20.3", "4.22.3", "4.22.6", "4.22.7", "4.22.8", "4.22.9", "4.22.11", "4.22.13", "4.22.16", "4.23.0", "4.23.2", "4.23.3", "4.25.1", "4.25.2", "4.26.0", "4.27.0", "4.28.1", "4.28.5", "4.29.0", "4.29.1", "4.29.2", "4.29.3", "4.30.0", "4.30.1", "4.30.2", "4.31.0", "4.31.1", "4.32.1", "4.32.3", "4.32.4", "4.32.5", "4.32.6", "4.33.1", "4.33.2", "4.33.3", "4.34.0", "4.35.0", "3.32.1", "4.35.2", "4.35.5", "0.0.0-development", "5.0.0-0", "4.37.1", "4.37.2", "4.37.3", "5.0.0-beta.1", "4.37.6", "5.0.0-beta.3", "5.0.0-beta.5", "4.37.7", "5.0.0-beta.6", "4.37.8", "4.37.10", "4.38.0", "4.39.1", "4.40.0", "5.0.0-beta.13", "5.0.0-beta.14", "4.42.0", "5.0.0-beta.16", "5.0.0-beta.17", "5.2.1", "5.2.3", "5.2.6", "5.2.13", "5.2.14", "5.2.15", "5.3.0", "5.3.1", "5.3.2", "5.3.3", "5.5.0", "5.5.1", "5.7.0", "5.7.3", "5.7.4", "5.7.5", "5.7.6", "5.8.3", "4.44.0", "5.8.6", "5.8.7", "5.8.8", "5.8.9", "5.8.10", "5.9.0", "5.9.1", "4.44.2", "5.9.5", "5.10.0", "5.10.3", "5.11.0", "5.12.1", "5.12.2", "5.12.3", "5.15.0", "5.15.1", "4.44.3", "5.15.2", "5.17.2", "5.18.0", "5.18.2", "5.18.3", "5.18.4", "5.19.0", "5.19.1", "5.19.3", "5.19.4", "5.19.5", "5.19.6", "5.19.7", "6.0.0-beta.2", "5.21.3", "5.21.4", "5.21.5", "4.44.4", "5.21.6", "5.21.9", "5.21.13", "6.1.1", "6.2.0", "6.2.3", "6.3.1", "6.3.3", "6.4.0", "6.5.0", "5.22.4", "6.5.1", "6.6.0", "6.6.1", "6.6.2", "6.6.4", "6.6.5", "6.7.0", "6.8.0", "6.9.0", "6.11.0", "6.10.0", "6.12.0-alpha.1", "6.12.0-beta.1", "6.12.0-beta.2", "6.12.0-beta.3", "6.12.0", "6.12.1", "5.22.5", "6.12.2", "6.12.3", "6.12.4", "6.12.5", "6.13.0", "6.14.0", "6.14.1", "6.15.0", "6.15.1", "6.16.0", "6.16.1", "6.16.2", "6.16.3", "6.17.0", "6.18.0", "6.19.0", "6.19.1", "6.19.2", "6.20.0", "6.20.1", "6.21.0", "6.21.1", "6.21.2", "6.21.3", "6.21.4", "6.21.5", "6.21.6", "6.22.0", "6.22.1", "6.23.0", "6.23.1", "6.23.2", "6.24.0", "6.25.0", "6.25.1", "6.25.2", "6.25.3", "6.25.4", "6.25.5", "6.25.6", "6.25.7", "6.25.8", "6.26.0", "6.27.0", "6.28.0"]
Secure versions: [6.29.0, 6.29.1, 6.29.2, 6.29.3, 6.30.0, 6.31.0, 6.31.1, 6.32.0, 6.32.1, 6.33.0, 6.34.0, 6.35.0, 6.35.1, 6.35.2, 6.36.0, 6.37.0, 6.37.1, 6.37.2, 6.37.3, 6.37.4, 6.37.5, 6.37.6, 6.37.7, 7.0.0-alpha.1, 7.0.0-alpha.2, 7.0.0-alpha.3, 7.0.0-alpha.4, 7.0.0-alpha.5, 7.0.0-alpha.6, 7.0.0-alpha.7, 7.0.0-alpha.8, 7.0.0-alpha.9, 7.0.0-alpha2.1, 7.0.0-alpha2.2, 7.0.0-next.1]
Recommendation: Update to version 7.0.0-next.1.

Duplicate advisory: Sequelize vulnerable to Improper Filtering of Special Elements

Published date: 2023-02-16T15:30:28Z
CVE: CVE-2023-22578
Links:

Duplicate advisory

This advisory has been withdrawn because it is a duplicate of GHSA-f598-mfpv-gmfx. This link is maintained to preserve external references.

Original Description

Due to improper attribute filtering in the sequelize js library, an attacker can peform SQL injections. This issue can be mitigated by not accepting untrusted input.

Affected versions: ["0.2.5", "0.3.0", "0.4.3", "1.0.0", "1.1.1", "1.1.2", "1.1.4", "1.2.0", "1.3.1", "1.3.3", "1.3.5", "1.3.7", "1.5.0-beta", "1.5.0-beta-2", "1.5.0", "1.6.0-beta-2", "1.6.0-beta-3", "1.6.0", "1.7.0-alpha3", "1.7.0-beta.0", "2.0.0-beta.0", "1.7.0-beta.3b", "1.7.0-beta.4a", "2.0.0-beta.6", "1.7.0-beta7", "2.0.0-beta.8", "1.7.0-beta8", "2.0.0-dev1", "2.0.0-dev2", "1.7.0-rc3", "2.0.0-dev3", "1.7.0-rc6", "2.0.0-dev6", "2.0.0-dev7", "1.7.0-rc7", "1.7.0-rc8", "1.7.0", "1.7.1", "1.7.2", "1.7.7", "1.7.8", "1.7.10", "2.0.0-rc1", "2.0.0-rc5", "2.0.0-rc6", "2.0.0-rc7", "2.0.2", "2.0.5", "2.0.6", "2.1.0", "2.1.1", "3.0.0", "3.1.0", "3.1.1", "3.2.0", "3.3.0", "3.3.1", "3.3.2", "3.4.0", "3.4.1", "3.6.0", "3.7.0", "3.7.1", "3.8.0", "3.10.0", "3.12.0", "3.12.1", "3.12.2", "3.14.0", "3.14.2", "3.15.0", "3.15.1", "3.16.0", "3.17.0", "3.17.1", "3.17.3", "3.19.1", "3.19.2", "3.21.0", "3.23.2", "4.0.0-0", "3.23.4", "3.23.6", "3.24.1", "3.24.2", "4.0.0-2", "3.24.6", "3.24.7", "3.25.0", "3.25.1", "3.27.0", "3.29.0", "3.30.0", "4.0.0", "4.2.0", "4.3.2", "4.4.5", "4.4.7", "4.4.8", "4.4.10", "4.7.0", "4.7.1", "4.8.0", "4.10.0", "4.10.1", "4.10.3", "4.11.1", "4.11.2", "4.11.6", "4.13.2", "4.13.5", "4.13.9", "4.13.12", "4.13.14", "4.13.16", "4.14.0", "4.15.2", "4.16.2", "4.17.0", "4.17.1", "4.20.0", "4.21.0", "4.22.0", "4.22.1", "4.22.2", "4.22.4", "4.22.5", "4.22.10", "4.22.12", "4.22.14", "4.22.15", "4.23.1", "3.31.0", "4.23.4", "3.31.1", "4.24.0", "4.25.0", "4.28.0", "4.28.2", "4.28.3", "4.28.4", "4.28.6", "4.28.7", "4.28.8", "4.31.2", "4.32.0", "4.32.2", "4.32.7", "4.33.0", "3.31.2", "4.33.4", "4.34.1", "4.35.1", "4.35.3", "4.35.4", "4.36.0", "4.36.1", "4.37.0", "4.37.4", "5.0.0-beta", "4.37.5", "5.0.0-beta.2", "5.0.0-beta.4", "3.33.0", "4.37.9", "5.0.0-beta.7", "5.0.0-beta.8", "5.0.0-beta.9", "5.0.0-beta.10", "5.0.0-beta.11", "5.0.0-beta.12", "4.38.1", "4.39.0", "4.41.0", "4.41.1", "4.41.2", "5.0.0-beta.15", "3.34.0", "4.42.1", "4.43.0", "5.1.0", "5.1.1", "5.2.0", "5.2.2", "5.2.4", "5.2.5", "5.2.7", "4.43.1", "5.2.8", "5.2.9", "5.2.10", "5.2.11", "5.2.12", "5.3.4", "5.3.5", "4.43.2", "5.4.0", "5.6.0", "5.6.1", "5.7.1", "5.7.2", "5.8.0", "5.8.1", "5.8.2", "5.8.4", "5.8.5", "6.0.0-beta.1", "3.35.0", "3.35.1", "5.8.11", "5.8.12", "5.9.2", "4.44.1", "5.9.3", "5.9.4", "5.10.1", "5.10.2", "5.12.0", "5.13.0", "5.13.1", "5.14.0", "5.16.0", "5.17.0", "5.17.1", "5.18.1", "5.19.2", "5.19.8", "5.20.0", "5.21.0", "5.21.1", "6.0.0-beta.3", "5.21.2", "6.0.0-beta.4", "6.0.0-beta.5", "5.21.7", "5.21.8", "6.0.0-beta.6", "5.21.10", "5.21.11", "5.21.12", "6.0.0-beta.7", "5.22.0", "6.1.0", "5.22.1", "5.22.2", "6.2.1", "6.2.2", "5.22.3", "6.2.4", "6.3.0", "6.3.2", "6.3.4", "6.3.5", "0.2.2", "0.2.3", "0.2.4", "0.2.6", "0.4.0", "0.4.1", "0.4.2", "1.0.1", "1.0.2", "1.1.0", "1.1.3", "1.2.1", "1.3.0", "1.3.2", "1.3.4", "1.3.6", "1.4.0", "1.4.1", "1.5.0-alpha", "1.6.0-alpha-1", "1.6.0-alpha-2", "1.6.0-alpha-3", "1.6.0-beta-1", "1.6.0-beta4", "1.7.0-alpha1", "1.7.0-alpha2", "2.0.0-alpha1", "2.0.0-alpha2", "2.0.0-alpha3", "1.7.0-beta.1", "2.0.0-beta.1", "1.7.0-beta.2", "2.0.0-beta.2", "2.0.0-beta.3", "2.0.0-beta.4", "1.7.0-beta.5", "2.0.0-beta.5", "1.7.0-beta6", "2.0.0-beta.7", "1.7.0-rc1", "1.7.0-rc2", "1.7.0-rc4", "2.0.0-dev4", "2.0.0-dev5", "1.7.0-rc5", "2.0.0-dev8", "1.7.0-rc9", "2.0.0-dev9", "1.7.3", "1.7.4", "1.7.5", "1.7.9", "2.0.0-rc2", "2.0.0-rc3", "2.0.0-rc4", "2.0.0-rc8", "2.0.0", "2.0.1", "2.0.3", "2.0.4", "2.1.2", "2.1.3", "3.0.1", "1.7.11", "3.5.0", "3.5.1", "3.9.0", "3.11.0", "3.13.0", "3.14.1", "3.17.2", "3.18.0", "3.19.0", "3.19.3", "3.20.0", "3.22.0", "3.23.0", "3.23.1", "3.23.3", "3.23.5", "3.24.0", "4.0.0-1", "3.24.3", "3.24.4", "3.24.5", "3.24.8", "3.26.0", "3.28.0", "3.30.1", "3.30.2", "3.30.3", "3.30.4", "4.1.0", "4.2.1", "4.3.0", "4.3.1", "4.4.0", "4.4.1", "4.4.2", "4.4.3", "4.4.4", "4.4.6", "4.4.9", "4.5.0", "4.6.0", "4.7.2", "4.7.3", "4.7.4", "4.7.5", "4.8.1", "4.8.2", "4.8.3", "4.8.4", "4.9.0", "4.10.2", "4.11.0", "4.11.3", "4.11.4", "4.11.5", "4.11.7", "4.12.0", "4.13.0", "4.13.1", "4.13.3", "4.13.4", "4.13.6", "4.13.7", "4.13.8", "4.13.10", "4.13.11", "4.13.13", "4.13.15", "4.13.17", "4.15.0", "4.15.1", "4.16.0", "4.16.1", "4.17.2", "4.18.0", "4.19.0", "4.20.1", "4.20.2", "4.20.3", "4.22.3", "4.22.6", "4.22.7", "4.22.8", "4.22.9", "4.22.11", "4.22.13", "4.22.16", "4.23.0", "4.23.2", "4.23.3", "4.25.1", "4.25.2", "4.26.0", "4.27.0", "4.28.1", "4.28.5", "4.29.0", "4.29.1", "4.29.2", "4.29.3", "4.30.0", "4.30.1", "4.30.2", "4.31.0", "4.31.1", "4.32.1", "4.32.3", "4.32.4", "4.32.5", "4.32.6", "4.33.1", "4.33.2", "4.33.3", "4.34.0", "4.35.0", "3.32.1", "4.35.2", "4.35.5", "0.0.0-development", "5.0.0-0", "4.37.1", "4.37.2", "4.37.3", "5.0.0-beta.1", "4.37.6", "5.0.0-beta.3", "5.0.0-beta.5", "4.37.7", "5.0.0-beta.6", "4.37.8", "4.37.10", "4.38.0", "4.39.1", "4.40.0", "5.0.0-beta.13", "5.0.0-beta.14", "4.42.0", "5.0.0-beta.16", "5.0.0-beta.17", "5.2.1", "5.2.3", "5.2.6", "5.2.13", "5.2.14", "5.2.15", "5.3.0", "5.3.1", "5.3.2", "5.3.3", "5.5.0", "5.5.1", "5.7.0", "5.7.3", "5.7.4", "5.7.5", "5.7.6", "5.8.3", "4.44.0", "5.8.6", "5.8.7", "5.8.8", "5.8.9", "5.8.10", "5.9.0", "5.9.1", "4.44.2", "5.9.5", "5.10.0", "5.10.3", "5.11.0", "5.12.1", "5.12.2", "5.12.3", "5.15.0", "5.15.1", "4.44.3", "5.15.2", "5.17.2", "5.18.0", "5.18.2", "5.18.3", "5.18.4", "5.19.0", "5.19.1", "5.19.3", "5.19.4", "5.19.5", "5.19.6", "5.19.7", "6.0.0-beta.2", "5.21.3", "5.21.4", "5.21.5", "4.44.4", "5.21.6", "5.21.9", "5.21.13", "6.1.1", "6.2.0", "6.2.3", "6.3.1", "6.3.3", "6.4.0", "6.5.0", "5.22.4", "6.5.1", "6.6.0", "6.6.1", "6.6.2", "6.6.4", "6.6.5", "6.7.0", "6.8.0", "6.9.0", "6.11.0", "6.10.0", "6.12.0-alpha.1", "6.12.0-beta.1", "6.12.0-beta.2", "6.12.0-beta.3", "6.12.0", "6.12.1", "5.22.5", "6.12.2", "6.12.3", "6.12.4", "6.12.5", "6.13.0", "6.14.0", "6.14.1", "6.15.0", "6.15.1", "6.16.0", "6.16.1", "6.16.2", "6.16.3", "6.17.0", "6.18.0", "6.19.0", "6.19.1", "6.19.2", "6.20.0", "6.20.1", "6.21.0", "6.21.1", "6.21.2", "6.21.3", "6.21.4", "6.21.5", "6.21.6", "6.22.0", "6.22.1", "6.23.0", "6.23.1", "6.23.2", "6.24.0", "6.25.0", "6.25.1", "6.25.2", "6.25.3", "6.25.4", "6.25.5", "6.25.6", "6.25.7", "6.25.8", "6.26.0", "6.27.0", "6.28.0", "6.28.1", "6.28.2"]
Secure versions: [6.29.0, 6.29.1, 6.29.2, 6.29.3, 6.30.0, 6.31.0, 6.31.1, 6.32.0, 6.32.1, 6.33.0, 6.34.0, 6.35.0, 6.35.1, 6.35.2, 6.36.0, 6.37.0, 6.37.1, 6.37.2, 6.37.3, 6.37.4, 6.37.5, 6.37.6, 6.37.7, 7.0.0-alpha.1, 7.0.0-alpha.2, 7.0.0-alpha.3, 7.0.0-alpha.4, 7.0.0-alpha.5, 7.0.0-alpha.6, 7.0.0-alpha.7, 7.0.0-alpha.8, 7.0.0-alpha.9, 7.0.0-alpha2.1, 7.0.0-alpha2.2, 7.0.0-next.1]
Recommendation: Update to version 7.0.0-next.1.

Sequelize - Default support for “raw attributes” when using parentheses

Published date: 2023-02-24T18:48:49Z
CVE: CVE-2023-22578
Links:

Impact

Sequelize 6.28.2 and prior has a dangerous feature where using parentheses in the attribute option would make Sequelize use the string as-is in the SQL

User.findAll({
  attributes: [
    ['count(id)', 'count']
  ]
});

Produced

SELECT count(id) AS "count" FROM "users"

Patches

This feature was deprecated in Sequelize 5, and using it prints a deprecation warning.

This issue has been patched in @sequelize/core@7.0.0.alpha-20 and sequelize@6.29.0.

In Sequelize 7, it now produces the following:

SELECT "count(id)" AS "count" FROM "users"

In Sequelize 6, it throws an error explaining that we had to introduce a breaking change, and requires the user to explicitly opt-in to either the Sequelize 7 behavior (always escape) or the Sequelize 5 behavior (inline attributes that include () without escaping). See https://github.com/sequelize/sequelize/pull/15710 for more information.

Mitigations

Do not use user-provided content to build your list or attributes. If you do, make sure that attribute in question actually exists on your model by checking that it exists in the rawAttributes property of your model first.

A discussion thread about this issue is open at https://github.com/sequelize/sequelize/discussions/15694 CVE: CVE-2023-22578

Affected versions: ["0.2.5", "0.3.0", "0.4.3", "1.0.0", "1.1.1", "1.1.2", "1.1.4", "1.2.0", "1.3.1", "1.3.3", "1.3.5", "1.3.7", "1.5.0-beta", "1.5.0-beta-2", "1.5.0", "1.6.0-beta-2", "1.6.0-beta-3", "1.6.0", "1.7.0-alpha3", "1.7.0-beta.0", "2.0.0-beta.0", "1.7.0-beta.3b", "1.7.0-beta.4a", "2.0.0-beta.6", "1.7.0-beta7", "2.0.0-beta.8", "1.7.0-beta8", "2.0.0-dev1", "2.0.0-dev2", "1.7.0-rc3", "2.0.0-dev3", "1.7.0-rc6", "2.0.0-dev6", "2.0.0-dev7", "1.7.0-rc7", "1.7.0-rc8", "1.7.0", "1.7.1", "1.7.2", "1.7.7", "1.7.8", "1.7.10", "2.0.0-rc1", "2.0.0-rc5", "2.0.0-rc6", "2.0.0-rc7", "2.0.2", "2.0.5", "2.0.6", "2.1.0", "2.1.1", "3.0.0", "3.1.0", "3.1.1", "3.2.0", "3.3.0", "3.3.1", "3.3.2", "3.4.0", "3.4.1", "3.6.0", "3.7.0", "3.7.1", "3.8.0", "3.10.0", "3.12.0", "3.12.1", "3.12.2", "3.14.0", "3.14.2", "3.15.0", "3.15.1", "3.16.0", "3.17.0", "3.17.1", "3.17.3", "3.19.1", "3.19.2", "3.21.0", "3.23.2", "4.0.0-0", "3.23.4", "3.23.6", "3.24.1", "3.24.2", "4.0.0-2", "3.24.6", "3.24.7", "3.25.0", "3.25.1", "3.27.0", "3.29.0", "3.30.0", "4.0.0", "4.2.0", "4.3.2", "4.4.5", "4.4.7", "4.4.8", "4.4.10", "4.7.0", "4.7.1", "4.8.0", "4.10.0", "4.10.1", "4.10.3", "4.11.1", "4.11.2", "4.11.6", "4.13.2", "4.13.5", "4.13.9", "4.13.12", "4.13.14", "4.13.16", "4.14.0", "4.15.2", "4.16.2", "4.17.0", "4.17.1", "4.20.0", "4.21.0", "4.22.0", "4.22.1", "4.22.2", "4.22.4", "4.22.5", "4.22.10", "4.22.12", "4.22.14", "4.22.15", "4.23.1", "3.31.0", "4.23.4", "3.31.1", "4.24.0", "4.25.0", "4.28.0", "4.28.2", "4.28.3", "4.28.4", "4.28.6", "4.28.7", "4.28.8", "4.31.2", "4.32.0", "4.32.2", "4.32.7", "4.33.0", "3.31.2", "4.33.4", "4.34.1", "4.35.1", "4.35.3", "4.35.4", "4.36.0", "4.36.1", "4.37.0", "4.37.4", "5.0.0-beta", "4.37.5", "5.0.0-beta.2", "5.0.0-beta.4", "3.33.0", "4.37.9", "5.0.0-beta.7", "5.0.0-beta.8", "5.0.0-beta.9", "5.0.0-beta.10", "5.0.0-beta.11", "5.0.0-beta.12", "4.38.1", "4.39.0", "4.41.0", "4.41.1", "4.41.2", "5.0.0-beta.15", "3.34.0", "4.42.1", "4.43.0", "5.1.0", "5.1.1", "5.2.0", "5.2.2", "5.2.4", "5.2.5", "5.2.7", "4.43.1", "5.2.8", "5.2.9", "5.2.10", "5.2.11", "5.2.12", "5.3.4", "5.3.5", "4.43.2", "5.4.0", "5.6.0", "5.6.1", "5.7.1", "5.7.2", "5.8.0", "5.8.1", "5.8.2", "5.8.4", "5.8.5", "6.0.0-beta.1", "3.35.0", "3.35.1", "5.8.11", "5.8.12", "5.9.2", "4.44.1", "5.9.3", "5.9.4", "5.10.1", "5.10.2", "5.12.0", "5.13.0", "5.13.1", "5.14.0", "5.16.0", "5.17.0", "5.17.1", "5.18.1", "5.19.2", "5.19.8", "5.20.0", "5.21.0", "5.21.1", "6.0.0-beta.3", "5.21.2", "6.0.0-beta.4", "6.0.0-beta.5", "5.21.7", "5.21.8", "6.0.0-beta.6", "5.21.10", "5.21.11", "5.21.12", "6.0.0-beta.7", "5.22.0", "6.1.0", "5.22.1", "5.22.2", "6.2.1", "6.2.2", "5.22.3", "6.2.4", "6.3.0", "6.3.2", "6.3.4", "6.3.5", "0.2.2", "0.2.3", "0.2.4", "0.2.6", "0.4.0", "0.4.1", "0.4.2", "1.0.1", "1.0.2", "1.1.0", "1.1.3", "1.2.1", "1.3.0", "1.3.2", "1.3.4", "1.3.6", "1.4.0", "1.4.1", "1.5.0-alpha", "1.6.0-alpha-1", "1.6.0-alpha-2", "1.6.0-alpha-3", "1.6.0-beta-1", "1.6.0-beta4", "1.7.0-alpha1", "1.7.0-alpha2", "2.0.0-alpha1", "2.0.0-alpha2", "2.0.0-alpha3", "1.7.0-beta.1", "2.0.0-beta.1", "1.7.0-beta.2", "2.0.0-beta.2", "2.0.0-beta.3", "2.0.0-beta.4", "1.7.0-beta.5", "2.0.0-beta.5", "1.7.0-beta6", "2.0.0-beta.7", "1.7.0-rc1", "1.7.0-rc2", "1.7.0-rc4", "2.0.0-dev4", "2.0.0-dev5", "1.7.0-rc5", "2.0.0-dev8", "1.7.0-rc9", "2.0.0-dev9", "1.7.3", "1.7.4", "1.7.5", "1.7.9", "2.0.0-rc2", "2.0.0-rc3", "2.0.0-rc4", "2.0.0-rc8", "2.0.0", "2.0.1", "2.0.3", "2.0.4", "2.1.2", "2.1.3", "3.0.1", "1.7.11", "3.5.0", "3.5.1", "3.9.0", "3.11.0", "3.13.0", "3.14.1", "3.17.2", "3.18.0", "3.19.0", "3.19.3", "3.20.0", "3.22.0", "3.23.0", "3.23.1", "3.23.3", "3.23.5", "3.24.0", "4.0.0-1", "3.24.3", "3.24.4", "3.24.5", "3.24.8", "3.26.0", "3.28.0", "3.30.1", "3.30.2", "3.30.3", "3.30.4", "4.1.0", "4.2.1", "4.3.0", "4.3.1", "4.4.0", "4.4.1", "4.4.2", "4.4.3", "4.4.4", "4.4.6", "4.4.9", "4.5.0", "4.6.0", "4.7.2", "4.7.3", "4.7.4", "4.7.5", "4.8.1", "4.8.2", "4.8.3", "4.8.4", "4.9.0", "4.10.2", "4.11.0", "4.11.3", "4.11.4", "4.11.5", "4.11.7", "4.12.0", "4.13.0", "4.13.1", "4.13.3", "4.13.4", "4.13.6", "4.13.7", "4.13.8", "4.13.10", "4.13.11", "4.13.13", "4.13.15", "4.13.17", "4.15.0", "4.15.1", "4.16.0", "4.16.1", "4.17.2", "4.18.0", "4.19.0", "4.20.1", "4.20.2", "4.20.3", "4.22.3", "4.22.6", "4.22.7", "4.22.8", "4.22.9", "4.22.11", "4.22.13", "4.22.16", "4.23.0", "4.23.2", "4.23.3", "4.25.1", "4.25.2", "4.26.0", "4.27.0", "4.28.1", "4.28.5", "4.29.0", "4.29.1", "4.29.2", "4.29.3", "4.30.0", "4.30.1", "4.30.2", "4.31.0", "4.31.1", "4.32.1", "4.32.3", "4.32.4", "4.32.5", "4.32.6", "4.33.1", "4.33.2", "4.33.3", "4.34.0", "4.35.0", "3.32.1", "4.35.2", "4.35.5", "0.0.0-development", "5.0.0-0", "4.37.1", "4.37.2", "4.37.3", "5.0.0-beta.1", "4.37.6", "5.0.0-beta.3", "5.0.0-beta.5", "4.37.7", "5.0.0-beta.6", "4.37.8", "4.37.10", "4.38.0", "4.39.1", "4.40.0", "5.0.0-beta.13", "5.0.0-beta.14", "4.42.0", "5.0.0-beta.16", "5.0.0-beta.17", "5.2.1", "5.2.3", "5.2.6", "5.2.13", "5.2.14", "5.2.15", "5.3.0", "5.3.1", "5.3.2", "5.3.3", "5.5.0", "5.5.1", "5.7.0", "5.7.3", "5.7.4", "5.7.5", "5.7.6", "5.8.3", "4.44.0", "5.8.6", "5.8.7", "5.8.8", "5.8.9", "5.8.10", "5.9.0", "5.9.1", "4.44.2", "5.9.5", "5.10.0", "5.10.3", "5.11.0", "5.12.1", "5.12.2", "5.12.3", "5.15.0", "5.15.1", "4.44.3", "5.15.2", "5.17.2", "5.18.0", "5.18.2", "5.18.3", "5.18.4", "5.19.0", "5.19.1", "5.19.3", "5.19.4", "5.19.5", "5.19.6", "5.19.7", "6.0.0-beta.2", "5.21.3", "5.21.4", "5.21.5", "4.44.4", "5.21.6", "5.21.9", "5.21.13", "6.1.1", "6.2.0", "6.2.3", "6.3.1", "6.3.3", "6.4.0", "6.5.0", "5.22.4", "6.5.1", "6.6.0", "6.6.1", "6.6.2", "6.6.4", "6.6.5", "6.7.0", "6.8.0", "6.9.0", "6.11.0", "6.10.0", "6.12.0-alpha.1", "6.12.0-beta.1", "6.12.0-beta.2", "6.12.0-beta.3", "6.12.0", "6.12.1", "5.22.5", "6.12.2", "6.12.3", "6.12.4", "6.12.5", "6.13.0", "6.14.0", "6.14.1", "6.15.0", "6.15.1", "6.16.0", "6.16.1", "6.16.2", "6.16.3", "6.17.0", "6.18.0", "6.19.0", "6.19.1", "6.19.2", "6.20.0", "6.20.1", "6.21.0", "6.21.1", "6.21.2", "6.21.3", "6.21.4", "6.21.5", "6.21.6", "6.22.0", "6.22.1", "6.23.0", "6.23.1", "6.23.2", "6.24.0", "6.25.0", "6.25.1", "6.25.2", "6.25.3", "6.25.4", "6.25.5", "6.25.6", "6.25.7", "6.25.8", "6.26.0", "6.27.0", "6.28.0", "6.28.1", "6.28.2"]
Secure versions: [6.29.0, 6.29.1, 6.29.2, 6.29.3, 6.30.0, 6.31.0, 6.31.1, 6.32.0, 6.32.1, 6.33.0, 6.34.0, 6.35.0, 6.35.1, 6.35.2, 6.36.0, 6.37.0, 6.37.1, 6.37.2, 6.37.3, 6.37.4, 6.37.5, 6.37.6, 6.37.7, 7.0.0-alpha.1, 7.0.0-alpha.2, 7.0.0-alpha.3, 7.0.0-alpha.4, 7.0.0-alpha.5, 7.0.0-alpha.6, 7.0.0-alpha.7, 7.0.0-alpha.8, 7.0.0-alpha.9, 7.0.0-alpha2.1, 7.0.0-alpha2.2, 7.0.0-next.1]
Recommendation: Update to version 7.0.0-next.1.

Unsafe fall-through in getWhereConditions

Published date: 2023-02-23T16:58:56Z
CVE: CVE-2023-22579
Links:

Impact

Providing an invalid value to the where option of a query caused Sequelize to ignore that option instead of throwing an error.

A finder call like the following did not throw an error:

User.findAll({
  where: new Date(),
});

As this option is typically used with plain javascript objects, be aware that this only happens at the top level of this option.

Patches

This issue has been patched in sequelize@6.28.1 & @sequelize/core@7.0.0.alpha-20

References

A discussion thread about this issue is open at https://github.com/sequelize/sequelize/discussions/15698

CVE: CVE-2023-22579 Snyk: https://security.snyk.io/vuln/SNYK-JS-SEQUELIZE-3324090

Affected versions: ["0.2.5", "0.3.0", "0.4.3", "1.0.0", "1.1.1", "1.1.2", "1.1.4", "1.2.0", "1.3.1", "1.3.3", "1.3.5", "1.3.7", "1.5.0-beta", "1.5.0-beta-2", "1.5.0", "1.6.0-beta-2", "1.6.0-beta-3", "1.6.0", "1.7.0-alpha3", "1.7.0-beta.0", "2.0.0-beta.0", "1.7.0-beta.3b", "1.7.0-beta.4a", "2.0.0-beta.6", "1.7.0-beta7", "2.0.0-beta.8", "1.7.0-beta8", "2.0.0-dev1", "2.0.0-dev2", "1.7.0-rc3", "2.0.0-dev3", "1.7.0-rc6", "2.0.0-dev6", "2.0.0-dev7", "1.7.0-rc7", "1.7.0-rc8", "1.7.0", "1.7.1", "1.7.2", "1.7.7", "1.7.8", "1.7.10", "2.0.0-rc1", "2.0.0-rc5", "2.0.0-rc6", "2.0.0-rc7", "2.0.2", "2.0.5", "2.0.6", "2.1.0", "2.1.1", "3.0.0", "3.1.0", "3.1.1", "3.2.0", "3.3.0", "3.3.1", "3.3.2", "3.4.0", "3.4.1", "3.6.0", "3.7.0", "3.7.1", "3.8.0", "3.10.0", "3.12.0", "3.12.1", "3.12.2", "3.14.0", "3.14.2", "3.15.0", "3.15.1", "3.16.0", "3.17.0", "3.17.1", "3.17.3", "3.19.1", "3.19.2", "3.21.0", "3.23.2", "4.0.0-0", "3.23.4", "3.23.6", "3.24.1", "3.24.2", "4.0.0-2", "3.24.6", "3.24.7", "3.25.0", "3.25.1", "3.27.0", "3.29.0", "3.30.0", "4.0.0", "4.2.0", "4.3.2", "4.4.5", "4.4.7", "4.4.8", "4.4.10", "4.7.0", "4.7.1", "4.8.0", "4.10.0", "4.10.1", "4.10.3", "4.11.1", "4.11.2", "4.11.6", "4.13.2", "4.13.5", "4.13.9", "4.13.12", "4.13.14", "4.13.16", "4.14.0", "4.15.2", "4.16.2", "4.17.0", "4.17.1", "4.20.0", "4.21.0", "4.22.0", "4.22.1", "4.22.2", "4.22.4", "4.22.5", "4.22.10", "4.22.12", "4.22.14", "4.22.15", "4.23.1", "3.31.0", "4.23.4", "3.31.1", "4.24.0", "4.25.0", "4.28.0", "4.28.2", "4.28.3", "4.28.4", "4.28.6", "4.28.7", "4.28.8", "4.31.2", "4.32.0", "4.32.2", "4.32.7", "4.33.0", "3.31.2", "4.33.4", "4.34.1", "4.35.1", "4.35.3", "4.35.4", "4.36.0", "4.36.1", "4.37.0", "4.37.4", "5.0.0-beta", "4.37.5", "5.0.0-beta.2", "5.0.0-beta.4", "3.33.0", "4.37.9", "5.0.0-beta.7", "5.0.0-beta.8", "5.0.0-beta.9", "5.0.0-beta.10", "5.0.0-beta.11", "5.0.0-beta.12", "4.38.1", "4.39.0", "4.41.0", "4.41.1", "4.41.2", "5.0.0-beta.15", "3.34.0", "4.42.1", "4.43.0", "5.1.0", "5.1.1", "5.2.0", "5.2.2", "5.2.4", "5.2.5", "5.2.7", "4.43.1", "5.2.8", "5.2.9", "5.2.10", "5.2.11", "5.2.12", "5.3.4", "5.3.5", "4.43.2", "5.4.0", "5.6.0", "5.6.1", "5.7.1", "5.7.2", "5.8.0", "5.8.1", "5.8.2", "5.8.4", "5.8.5", "6.0.0-beta.1", "3.35.0", "3.35.1", "5.8.11", "5.8.12", "5.9.2", "4.44.1", "5.9.3", "5.9.4", "5.10.1", "5.10.2", "5.12.0", "5.13.0", "5.13.1", "5.14.0", "5.16.0", "5.17.0", "5.17.1", "5.18.1", "5.19.2", "5.19.8", "5.20.0", "5.21.0", "5.21.1", "6.0.0-beta.3", "5.21.2", "6.0.0-beta.4", "6.0.0-beta.5", "5.21.7", "5.21.8", "6.0.0-beta.6", "5.21.10", "5.21.11", "5.21.12", "6.0.0-beta.7", "5.22.0", "6.1.0", "5.22.1", "5.22.2", "6.2.1", "6.2.2", "5.22.3", "6.2.4", "6.3.0", "6.3.2", "6.3.4", "6.3.5", "0.2.2", "0.2.3", "0.2.4", "0.2.6", "0.4.0", "0.4.1", "0.4.2", "1.0.1", "1.0.2", "1.1.0", "1.1.3", "1.2.1", "1.3.0", "1.3.2", "1.3.4", "1.3.6", "1.4.0", "1.4.1", "1.5.0-alpha", "1.6.0-alpha-1", "1.6.0-alpha-2", "1.6.0-alpha-3", "1.6.0-beta-1", "1.6.0-beta4", "1.7.0-alpha1", "1.7.0-alpha2", "2.0.0-alpha1", "2.0.0-alpha2", "2.0.0-alpha3", "1.7.0-beta.1", "2.0.0-beta.1", "1.7.0-beta.2", "2.0.0-beta.2", "2.0.0-beta.3", "2.0.0-beta.4", "1.7.0-beta.5", "2.0.0-beta.5", "1.7.0-beta6", "2.0.0-beta.7", "1.7.0-rc1", "1.7.0-rc2", "1.7.0-rc4", "2.0.0-dev4", "2.0.0-dev5", "1.7.0-rc5", "2.0.0-dev8", "1.7.0-rc9", "2.0.0-dev9", "1.7.3", "1.7.4", "1.7.5", "1.7.9", "2.0.0-rc2", "2.0.0-rc3", "2.0.0-rc4", "2.0.0-rc8", "2.0.0", "2.0.1", "2.0.3", "2.0.4", "2.1.2", "2.1.3", "3.0.1", "1.7.11", "3.5.0", "3.5.1", "3.9.0", "3.11.0", "3.13.0", "3.14.1", "3.17.2", "3.18.0", "3.19.0", "3.19.3", "3.20.0", "3.22.0", "3.23.0", "3.23.1", "3.23.3", "3.23.5", "3.24.0", "4.0.0-1", "3.24.3", "3.24.4", "3.24.5", "3.24.8", "3.26.0", "3.28.0", "3.30.1", "3.30.2", "3.30.3", "3.30.4", "4.1.0", "4.2.1", "4.3.0", "4.3.1", "4.4.0", "4.4.1", "4.4.2", "4.4.3", "4.4.4", "4.4.6", "4.4.9", "4.5.0", "4.6.0", "4.7.2", "4.7.3", "4.7.4", "4.7.5", "4.8.1", "4.8.2", "4.8.3", "4.8.4", "4.9.0", "4.10.2", "4.11.0", "4.11.3", "4.11.4", "4.11.5", "4.11.7", "4.12.0", "4.13.0", "4.13.1", "4.13.3", "4.13.4", "4.13.6", "4.13.7", "4.13.8", "4.13.10", "4.13.11", "4.13.13", "4.13.15", "4.13.17", "4.15.0", "4.15.1", "4.16.0", "4.16.1", "4.17.2", "4.18.0", "4.19.0", "4.20.1", "4.20.2", "4.20.3", "4.22.3", "4.22.6", "4.22.7", "4.22.8", "4.22.9", "4.22.11", "4.22.13", "4.22.16", "4.23.0", "4.23.2", "4.23.3", "4.25.1", "4.25.2", "4.26.0", "4.27.0", "4.28.1", "4.28.5", "4.29.0", "4.29.1", "4.29.2", "4.29.3", "4.30.0", "4.30.1", "4.30.2", "4.31.0", "4.31.1", "4.32.1", "4.32.3", "4.32.4", "4.32.5", "4.32.6", "4.33.1", "4.33.2", "4.33.3", "4.34.0", "4.35.0", "3.32.1", "4.35.2", "4.35.5", "0.0.0-development", "5.0.0-0", "4.37.1", "4.37.2", "4.37.3", "5.0.0-beta.1", "4.37.6", "5.0.0-beta.3", "5.0.0-beta.5", "4.37.7", "5.0.0-beta.6", "4.37.8", "4.37.10", "4.38.0", "4.39.1", "4.40.0", "5.0.0-beta.13", "5.0.0-beta.14", "4.42.0", "5.0.0-beta.16", "5.0.0-beta.17", "5.2.1", "5.2.3", "5.2.6", "5.2.13", "5.2.14", "5.2.15", "5.3.0", "5.3.1", "5.3.2", "5.3.3", "5.5.0", "5.5.1", "5.7.0", "5.7.3", "5.7.4", "5.7.5", "5.7.6", "5.8.3", "4.44.0", "5.8.6", "5.8.7", "5.8.8", "5.8.9", "5.8.10", "5.9.0", "5.9.1", "4.44.2", "5.9.5", "5.10.0", "5.10.3", "5.11.0", "5.12.1", "5.12.2", "5.12.3", "5.15.0", "5.15.1", "4.44.3", "5.15.2", "5.17.2", "5.18.0", "5.18.2", "5.18.3", "5.18.4", "5.19.0", "5.19.1", "5.19.3", "5.19.4", "5.19.5", "5.19.6", "5.19.7", "6.0.0-beta.2", "5.21.3", "5.21.4", "5.21.5", "4.44.4", "5.21.6", "5.21.9", "5.21.13", "6.1.1", "6.2.0", "6.2.3", "6.3.1", "6.3.3", "6.4.0", "6.5.0", "5.22.4", "6.5.1", "6.6.0", "6.6.1", "6.6.2", "6.6.4", "6.6.5", "6.7.0", "6.8.0", "6.9.0", "6.11.0", "6.10.0", "6.12.0-alpha.1", "6.12.0-beta.1", "6.12.0-beta.2", "6.12.0-beta.3", "6.12.0", "6.12.1", "5.22.5", "6.12.2", "6.12.3", "6.12.4", "6.12.5", "6.13.0", "6.14.0", "6.14.1", "6.15.0", "6.15.1", "6.16.0", "6.16.1", "6.16.2", "6.16.3", "6.17.0", "6.18.0", "6.19.0", "6.19.1", "6.19.2", "6.20.0", "6.20.1", "6.21.0", "6.21.1", "6.21.2", "6.21.3", "6.21.4", "6.21.5", "6.21.6", "6.22.0", "6.22.1", "6.23.0", "6.23.1", "6.23.2", "6.24.0", "6.25.0", "6.25.1", "6.25.2", "6.25.3", "6.25.4", "6.25.5", "6.25.6", "6.25.7", "6.25.8", "6.26.0", "6.27.0", "6.28.0"]
Secure versions: [6.29.0, 6.29.1, 6.29.2, 6.29.3, 6.30.0, 6.31.0, 6.31.1, 6.32.0, 6.32.1, 6.33.0, 6.34.0, 6.35.0, 6.35.1, 6.35.2, 6.36.0, 6.37.0, 6.37.1, 6.37.2, 6.37.3, 6.37.4, 6.37.5, 6.37.6, 6.37.7, 7.0.0-alpha.1, 7.0.0-alpha.2, 7.0.0-alpha.3, 7.0.0-alpha.4, 7.0.0-alpha.5, 7.0.0-alpha.6, 7.0.0-alpha.7, 7.0.0-alpha.8, 7.0.0-alpha.9, 7.0.0-alpha2.1, 7.0.0-alpha2.2, 7.0.0-next.1]
Recommendation: Update to version 7.0.0-next.1.

Sequelize vulnerable to SQL Injection via replacements

Published date: 2023-02-22T22:59:09Z
CVE: CVE-2023-25813
Links:

Impact

The SQL injection exploit is related to replacements. Here is such an example:

In the following query, some parameters are passed through replacements, and some are passed directly through the where option.

User.findAll({
  where: or(
    literal('soundex("firstName") = soundex(:firstName)'),
    { lastName: lastName },
  ),
  replacements: { firstName },
})

This is a very legitimate use case, but this query was vulnerable to SQL injection due to how Sequelize processed the query: Sequelize built a first query using the where option, then passed it over to sequelize.query which parsed the resulting SQL to inject all :replacements.

If the user passed values such as

{
  "firstName": "OR true; DROP TABLE users;",
  "lastName": ":firstName"
}

Sequelize would first generate this query:

SELECT * FROM users WHERE soundex("firstName") = soundex(:firstName) OR "lastName" = ':firstName'

Then would inject replacements in it, which resulted in this:

SELECT * FROM users WHERE soundex("firstName") = soundex('OR true; DROP TABLE users;') OR "lastName" = ''OR true; DROP TABLE users;''

As you can see this resulted in arbitrary user-provided SQL being executed.

Patches

The issue was fixed in Sequelize 6.19.1

Workarounds

Do not use the replacements and the where option in the same query if you are not using Sequelize >= 6.19.1

References

See this thread for more information: https://github.com/sequelize/sequelize/issues/14519

Snyk: https://security.snyk.io/vuln/SNYK-JS-SEQUELIZE-2932027

Affected versions: ["0.2.5", "0.3.0", "0.4.3", "1.0.0", "1.1.1", "1.1.2", "1.1.4", "1.2.0", "1.3.1", "1.3.3", "1.3.5", "1.3.7", "1.5.0-beta", "1.5.0-beta-2", "1.5.0", "1.6.0-beta-2", "1.6.0-beta-3", "1.6.0", "1.7.0-alpha3", "1.7.0-beta.0", "2.0.0-beta.0", "1.7.0-beta.3b", "1.7.0-beta.4a", "2.0.0-beta.6", "1.7.0-beta7", "2.0.0-beta.8", "1.7.0-beta8", "2.0.0-dev1", "2.0.0-dev2", "1.7.0-rc3", "2.0.0-dev3", "1.7.0-rc6", "2.0.0-dev6", "2.0.0-dev7", "1.7.0-rc7", "1.7.0-rc8", "1.7.0", "1.7.1", "1.7.2", "1.7.7", "1.7.8", "1.7.10", "2.0.0-rc1", "2.0.0-rc5", "2.0.0-rc6", "2.0.0-rc7", "2.0.2", "2.0.5", "2.0.6", "2.1.0", "2.1.1", "3.0.0", "3.1.0", "3.1.1", "3.2.0", "3.3.0", "3.3.1", "3.3.2", "3.4.0", "3.4.1", "3.6.0", "3.7.0", "3.7.1", "3.8.0", "3.10.0", "3.12.0", "3.12.1", "3.12.2", "3.14.0", "3.14.2", "3.15.0", "3.15.1", "3.16.0", "3.17.0", "3.17.1", "3.17.3", "3.19.1", "3.19.2", "3.21.0", "3.23.2", "4.0.0-0", "3.23.4", "3.23.6", "3.24.1", "3.24.2", "4.0.0-2", "3.24.6", "3.24.7", "3.25.0", "3.25.1", "3.27.0", "3.29.0", "3.30.0", "4.0.0", "4.2.0", "4.3.2", "4.4.5", "4.4.7", "4.4.8", "4.4.10", "4.7.0", "4.7.1", "4.8.0", "4.10.0", "4.10.1", "4.10.3", "4.11.1", "4.11.2", "4.11.6", "4.13.2", "4.13.5", "4.13.9", "4.13.12", "4.13.14", "4.13.16", "4.14.0", "4.15.2", "4.16.2", "4.17.0", "4.17.1", "4.20.0", "4.21.0", "4.22.0", "4.22.1", "4.22.2", "4.22.4", "4.22.5", "4.22.10", "4.22.12", "4.22.14", "4.22.15", "4.23.1", "3.31.0", "4.23.4", "3.31.1", "4.24.0", "4.25.0", "4.28.0", "4.28.2", "4.28.3", "4.28.4", "4.28.6", "4.28.7", "4.28.8", "4.31.2", "4.32.0", "4.32.2", "4.32.7", "4.33.0", "3.31.2", "4.33.4", "4.34.1", "4.35.1", "4.35.3", "4.35.4", "4.36.0", "4.36.1", "4.37.0", "4.37.4", "5.0.0-beta", "4.37.5", "5.0.0-beta.2", "5.0.0-beta.4", "3.33.0", "4.37.9", "5.0.0-beta.7", "5.0.0-beta.8", "5.0.0-beta.9", "5.0.0-beta.10", "5.0.0-beta.11", "5.0.0-beta.12", "4.38.1", "4.39.0", "4.41.0", "4.41.1", "4.41.2", "5.0.0-beta.15", "3.34.0", "4.42.1", "4.43.0", "5.1.0", "5.1.1", "5.2.0", "5.2.2", "5.2.4", "5.2.5", "5.2.7", "4.43.1", "5.2.8", "5.2.9", "5.2.10", "5.2.11", "5.2.12", "5.3.4", "5.3.5", "4.43.2", "5.4.0", "5.6.0", "5.6.1", "5.7.1", "5.7.2", "5.8.0", "5.8.1", "5.8.2", "5.8.4", "5.8.5", "6.0.0-beta.1", "3.35.0", "3.35.1", "5.8.11", "5.8.12", "5.9.2", "4.44.1", "5.9.3", "5.9.4", "5.10.1", "5.10.2", "5.12.0", "5.13.0", "5.13.1", "5.14.0", "5.16.0", "5.17.0", "5.17.1", "5.18.1", "5.19.2", "5.19.8", "5.20.0", "5.21.0", "5.21.1", "6.0.0-beta.3", "5.21.2", "6.0.0-beta.4", "6.0.0-beta.5", "5.21.7", "5.21.8", "6.0.0-beta.6", "5.21.10", "5.21.11", "5.21.12", "6.0.0-beta.7", "5.22.0", "6.1.0", "5.22.1", "5.22.2", "6.2.1", "6.2.2", "5.22.3", "6.2.4", "6.3.0", "6.3.2", "6.3.4", "6.3.5", "0.2.2", "0.2.3", "0.2.4", "0.2.6", "0.4.0", "0.4.1", "0.4.2", "1.0.1", "1.0.2", "1.1.0", "1.1.3", "1.2.1", "1.3.0", "1.3.2", "1.3.4", "1.3.6", "1.4.0", "1.4.1", "1.5.0-alpha", "1.6.0-alpha-1", "1.6.0-alpha-2", "1.6.0-alpha-3", "1.6.0-beta-1", "1.6.0-beta4", "1.7.0-alpha1", "1.7.0-alpha2", "2.0.0-alpha1", "2.0.0-alpha2", "2.0.0-alpha3", "1.7.0-beta.1", "2.0.0-beta.1", "1.7.0-beta.2", "2.0.0-beta.2", "2.0.0-beta.3", "2.0.0-beta.4", "1.7.0-beta.5", "2.0.0-beta.5", "1.7.0-beta6", "2.0.0-beta.7", "1.7.0-rc1", "1.7.0-rc2", "1.7.0-rc4", "2.0.0-dev4", "2.0.0-dev5", "1.7.0-rc5", "2.0.0-dev8", "1.7.0-rc9", "2.0.0-dev9", "1.7.3", "1.7.4", "1.7.5", "1.7.9", "2.0.0-rc2", "2.0.0-rc3", "2.0.0-rc4", "2.0.0-rc8", "2.0.0", "2.0.1", "2.0.3", "2.0.4", "2.1.2", "2.1.3", "3.0.1", "1.7.11", "3.5.0", "3.5.1", "3.9.0", "3.11.0", "3.13.0", "3.14.1", "3.17.2", "3.18.0", "3.19.0", "3.19.3", "3.20.0", "3.22.0", "3.23.0", "3.23.1", "3.23.3", "3.23.5", "3.24.0", "4.0.0-1", "3.24.3", "3.24.4", "3.24.5", "3.24.8", "3.26.0", "3.28.0", "3.30.1", "3.30.2", "3.30.3", "3.30.4", "4.1.0", "4.2.1", "4.3.0", "4.3.1", "4.4.0", "4.4.1", "4.4.2", "4.4.3", "4.4.4", "4.4.6", "4.4.9", "4.5.0", "4.6.0", "4.7.2", "4.7.3", "4.7.4", "4.7.5", "4.8.1", "4.8.2", "4.8.3", "4.8.4", "4.9.0", "4.10.2", "4.11.0", "4.11.3", "4.11.4", "4.11.5", "4.11.7", "4.12.0", "4.13.0", "4.13.1", "4.13.3", "4.13.4", "4.13.6", "4.13.7", "4.13.8", "4.13.10", "4.13.11", "4.13.13", "4.13.15", "4.13.17", "4.15.0", "4.15.1", "4.16.0", "4.16.1", "4.17.2", "4.18.0", "4.19.0", "4.20.1", "4.20.2", "4.20.3", "4.22.3", "4.22.6", "4.22.7", "4.22.8", "4.22.9", "4.22.11", "4.22.13", "4.22.16", "4.23.0", "4.23.2", "4.23.3", "4.25.1", "4.25.2", "4.26.0", "4.27.0", "4.28.1", "4.28.5", "4.29.0", "4.29.1", "4.29.2", "4.29.3", "4.30.0", "4.30.1", "4.30.2", "4.31.0", "4.31.1", "4.32.1", "4.32.3", "4.32.4", "4.32.5", "4.32.6", "4.33.1", "4.33.2", "4.33.3", "4.34.0", "4.35.0", "3.32.1", "4.35.2", "4.35.5", "0.0.0-development", "5.0.0-0", "4.37.1", "4.37.2", "4.37.3", "5.0.0-beta.1", "4.37.6", "5.0.0-beta.3", "5.0.0-beta.5", "4.37.7", "5.0.0-beta.6", "4.37.8", "4.37.10", "4.38.0", "4.39.1", "4.40.0", "5.0.0-beta.13", "5.0.0-beta.14", "4.42.0", "5.0.0-beta.16", "5.0.0-beta.17", "5.2.1", "5.2.3", "5.2.6", "5.2.13", "5.2.14", "5.2.15", "5.3.0", "5.3.1", "5.3.2", "5.3.3", "5.5.0", "5.5.1", "5.7.0", "5.7.3", "5.7.4", "5.7.5", "5.7.6", "5.8.3", "4.44.0", "5.8.6", "5.8.7", "5.8.8", "5.8.9", "5.8.10", "5.9.0", "5.9.1", "4.44.2", "5.9.5", "5.10.0", "5.10.3", "5.11.0", "5.12.1", "5.12.2", "5.12.3", "5.15.0", "5.15.1", "4.44.3", "5.15.2", "5.17.2", "5.18.0", "5.18.2", "5.18.3", "5.18.4", "5.19.0", "5.19.1", "5.19.3", "5.19.4", "5.19.5", "5.19.6", "5.19.7", "6.0.0-beta.2", "5.21.3", "5.21.4", "5.21.5", "4.44.4", "5.21.6", "5.21.9", "5.21.13", "6.1.1", "6.2.0", "6.2.3", "6.3.1", "6.3.3", "6.4.0", "6.5.0", "5.22.4", "6.5.1", "6.6.0", "6.6.1", "6.6.2", "6.6.4", "6.6.5", "6.7.0", "6.8.0", "6.9.0", "6.11.0", "6.10.0", "6.12.0-alpha.1", "6.12.0-beta.1", "6.12.0-beta.2", "6.12.0-beta.3", "6.12.0", "6.12.1", "5.22.5", "6.12.2", "6.12.3", "6.12.4", "6.12.5", "6.13.0", "6.14.0", "6.14.1", "6.15.0", "6.15.1", "6.16.0", "6.16.1", "6.16.2", "6.16.3", "6.17.0", "6.18.0", "6.19.0"]
Secure versions: [6.29.0, 6.29.1, 6.29.2, 6.29.3, 6.30.0, 6.31.0, 6.31.1, 6.32.0, 6.32.1, 6.33.0, 6.34.0, 6.35.0, 6.35.1, 6.35.2, 6.36.0, 6.37.0, 6.37.1, 6.37.2, 6.37.3, 6.37.4, 6.37.5, 6.37.6, 6.37.7, 7.0.0-alpha.1, 7.0.0-alpha.2, 7.0.0-alpha.3, 7.0.0-alpha.4, 7.0.0-alpha.5, 7.0.0-alpha.6, 7.0.0-alpha.7, 7.0.0-alpha.8, 7.0.0-alpha.9, 7.0.0-alpha2.1, 7.0.0-alpha2.2, 7.0.0-next.1]
Recommendation: Update to version 7.0.0-next.1.

622 Other Versions

Version License Security Released
4.8.1 MIT 9 2017-09-07 - 17:33 about 8 years
4.8.0 MIT 9 2017-08-30 - 15:30 about 8 years
4.7.5 MIT 9 2017-08-24 - 19:05 about 8 years
4.7.4 MIT 9 2017-08-24 - 18:28 about 8 years
4.7.3 MIT 9 2017-08-24 - 13:19 about 8 years
4.7.2 MIT 9 2017-08-23 - 18:18 about 8 years
4.7.1 MIT 9 2017-08-23 - 11:03 about 8 years
4.7.0 MIT 9 2017-08-23 - 03:09 about 8 years
4.6.0 MIT 9 2017-08-19 - 08:09 about 8 years
4.5.0 MIT 9 2017-08-15 - 07:32 about 8 years
4.4.10 MIT 9 2017-08-14 - 11:32 about 8 years
4.4.9 MIT 9 2017-08-14 - 06:47 about 8 years
4.4.8 MIT 9 2017-08-14 - 04:57 about 8 years
4.4.7 MIT 9 2017-08-13 - 17:42 about 8 years
4.4.6 MIT 9 2017-08-13 - 17:23 about 8 years
4.4.5 MIT 9 2017-08-13 - 14:47 about 8 years
4.4.4 MIT 9 2017-08-13 - 12:51 about 8 years
4.4.3 MIT 9 2017-08-11 - 10:16 about 8 years
4.4.2 MIT 9 2017-07-22 - 10:58 about 8 years
4.4.1 MIT 9 2017-07-21 - 22:28 about 8 years
4.4.0 MIT 9 2017-07-20 - 08:59 about 8 years
4.3.2 MIT 9 2017-07-13 - 08:17 about 8 years
4.3.1 MIT 9 2017-07-11 - 13:31 about 8 years
4.3.0 MIT 9 2017-07-09 - 18:36 over 8 years
4.2.1 MIT 9 2017-06-29 - 08:56 over 8 years
4.2.0 MIT 9 2017-06-21 - 12:46 over 8 years
4.1.0 MIT 9 2017-06-12 - 09:41 over 8 years
4.0.0 MIT 9 2017-06-07 - 17:02 over 8 years
4.0.0-2 MIT 8 2016-09-12 - 07:13 about 9 years
4.0.0-1 MIT 8 2016-08-18 - 15:31 about 9 years
4.0.0-0 MIT 8 2016-05-28 - 08:16 over 9 years
3.35.1 MIT 8 2019-06-21 - 04:34 over 6 years
3.35.0 MIT 10 2019-06-20 - 05:32 over 6 years
3.34.0 MIT 10 2019-01-04 - 14:28 almost 7 years
3.33.0 MIT 10 2018-05-09 - 04:39 over 7 years
3.32.1 MIT 10 2018-03-04 - 05:43 over 7 years
3.31.2 MIT 10 2018-02-09 - 13:30 over 7 years
3.31.1 MIT 10 2017-12-01 - 13:38 almost 8 years
3.31.0 MIT 10 2017-11-28 - 12:46 almost 8 years
3.30.4 MIT 10 2017-03-27 - 14:28 over 8 years
3.30.3 MIT 10 2017-03-24 - 12:09 over 8 years
3.30.2 MIT 10 2017-02-08 - 10:37 over 8 years
3.30.1 MIT 10 2017-01-31 - 16:02 over 8 years
3.30.0 MIT 10 2017-01-24 - 08:01 over 8 years
3.29.0 MIT 10 2017-01-06 - 14:04 almost 9 years
3.28.0 MIT 10 2016-12-20 - 12:18 almost 9 years
3.27.0 MIT 10 2016-11-18 - 13:25 almost 9 years
3.26.0 MIT 10 2016-11-17 - 11:03 almost 9 years
3.25.1 MIT 10 2016-11-16 - 11:49 almost 9 years
3.25.0 MIT 10 2016-11-10 - 12:37 almost 9 years