Sequelizejs: >> Sequelize >> 6.25.6 Security Vulnerabilities
Sequelize is a Node.js ORM tool. Prior to 6.37.8, there is SQL injection via unescaped cast type in JSON/JSONB where clause processing. The _traverseJSON() function splits JSON path keys on :: to extract a cast type, which is interpolated raw into CAST(... AS <type>) SQL. An attacker who controls JSON object keys can inject arbitrary SQL and exfiltrate data from any table. This vulnerability is fixed in 6.37.8.
CVSS Score
7.5
EPSS Score
0.0
Published
2026-03-10
Due to improper artibute filtering in the sequalize js library, can a attacker peform SQL injections.
CVSS Score
10.0
EPSS Score
0.002
Published
2023-02-16
Due to improper parameter filtering in the sequalize js library, can a attacker peform injection.
CVSS Score
9.9
EPSS Score
0.004
Published
2023-02-16
Due to improper input filtering in the sequalize js library, can malicious queries lead to sensitive information disclosure.
CVSS Score
5.3
EPSS Score
0.003
Published
2023-02-16