Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionNVD
Sequelize, all versions prior to version 4.44.3 and 5.15.1, is vulnerable to SQL Injection due to sequelize.json() helper function not escaping values properly when formatting sub paths for JSON queries for MySQL, MariaDB and SQLite.
AnalysisAI
Sequelize, all versions prior to version 4.44.3 and 5.15.1, is vulnerable to SQL Injection due to sequelize.json() helper function not escaping values properly when formatting sub paths for JSON. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Technical ContextAI
This vulnerability is classified as SQL Injection (CWE-89), which allows attackers to execute arbitrary SQL commands against the database. Sequelize, all versions prior to version 4.44.3 and 5.15.1, is vulnerable to SQL Injection due to sequelize.json() helper function not escaping values properly when formatting sub paths for JSON queries for MySQL, MariaDB and SQLite. Affected products include: Sequelizejs Sequelize. Version information: version 4.44.3.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Use parameterized queries/prepared statements. Never concatenate user input into SQL. Apply least-privilege database permissions.
Sequelize is a Node.js ORM tool. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no auth
sequelize before version 3.35.1 allows attackers to perform a SQL Injection due to the JSON path keys not being properly
Sequelize all versions prior to 3.35.1, 4.44.3, and 5.8.11 are vulnerable to SQL Injection due to JSON path keys not bei
SQL injection vulnerability in Sequelize before 2.0.0-rc7 for Node.js allows remote attackers to execute arbitrary SQL c
Due to improper artibute filtering in the sequalize js library, can a attacker peform SQL injections. Rated critical sev
Due to improper parameter filtering in the sequalize js library, can a attacker peform injection. Rated high severity (C
SQL injection in Sequelize prior to version 6.37.8 allows unauthenticated attackers to execute arbitrary SQL queries and
Due to improper input filtering in the sequalize js library, can malicious queries lead to sensitive information disclos
Sequelize version 5 before 5.3.0 does not properly ensure that standard conforming strings are used. Rated high severity
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today