Affected versions of sequelize
are vulnerable to SQL Injection. The function sequelize.json()
incorrectly formatted sub paths for JSON queries, which allows attackers to inject SQL statements and execute arbitrary SQL queries if user input is passed to the query. Exploitation example:
where: this.sequelize.json("data.id')) AS DECIMAL) = 1 DELETE YOLO INJECTIONS; -- ", 1)
});```
## Recommendation
If you are using `sequelize` 5.x, upgrade to version 5.15.1 or later.
If you are using `sequelize` 4.x, upgrade to version 4.44.3 or later.
## References
- [GitHub PR](https://github.com/sequelize/sequelize/pull/11329)
- [Snyk Report](https://snyk.io/vuln/SNYK-JS-SEQUELIZE-459751)
- [GitHub Advisory](https://github.com/advisories/GHSA-m9jw-237r-gvfv)