CVE-2026-30951
HIGH
GHSA-6457-6jrx-69cr
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
3Description
Sequelize is a Node.js ORM tool. Prior to 6.37.8, there is SQL injection via unescaped cast type in JSON/JSONB where clause processing. The _traverseJSON() function splits JSON path keys on :: to extract a cast type, which is interpolated raw into CAST(... AS <type>) SQL. An attacker who controls JSON object keys can inject arbitrary SQL and exfiltrate data from any table. This vulnerability is fixed in 6.37.8.
Analysis
SQL injection in Sequelize prior to version 6.37.8 allows unauthenticated attackers to execute arbitrary SQL queries and extract sensitive data by manipulating JSON object keys in WHERE clause operations. The vulnerability stems from improper sanitization of cast type parameters in the _traverseJSON() function, which directly interpolates user-controlled input into CAST SQL statements. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all Node.js applications using Sequelize and document version numbers; assess whether JSON/JSONB filtering is used in production queries. Within 7 days: Implement input validation and parameterized query patterns to avoid dynamic JSON casting; deploy WAF rules to detect SQL injection patterns in application traffic; segment database access with least-privilege credentials. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today