Skip to content

SQL Injection in sequelize

Moderate severity GitHub Reviewed Published Feb 18, 2019 to the GitHub Advisory Database • Updated Jan 9, 2023

Package

npm sequelize (npm)

Affected versions

<= 1.7.0-alpha2

Patched versions

1.7.0

Description

Affected versions of sequelize use MySQL's backslash-based escape syntax when connecting to SQLite, despite the fact that SQLite uses PostgreSQL's escape syntax, which can result in a SQL Injection vulnerability.

Recommendation

Update to version 1.7.0-alpha3 or later.

References

Published to the GitHub Advisory Database Feb 18, 2019
Reviewed Jun 16, 2020
Last updated Jan 9, 2023

Severity

Moderate

EPSS score

0.225%
(62nd percentile)

Weaknesses

CVE ID

CVE-2016-10554

GHSA ID

GHSA-x2jc-pwfj-h9p3

Source code

No known source code
Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.