Skip to main content

Sequelize

10 CVEs product

Monthly

CVE-2026-30951 npm HIGH PATCH This Week

SQL injection in Sequelize prior to version 6.37.8 allows unauthenticated attackers to execute arbitrary SQL queries and extract sensitive data by manipulating JSON object keys in WHERE clause operations. The vulnerability stems from improper sanitization of cast type parameters in the _traverseJSON() function, which directly interpolates user-controlled input into CAST SQL statements. Node.js applications using affected Sequelize versions are at risk of complete database compromise.

Node.js SQLi Sequelize
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2023-25813 npm CRITICAL POC PATCH Act Now

Sequelize is a Node.js ORM tool. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Node.js SQLi Sequelize
NVD GitHub
CVSS 3.1
9.8
EPSS
1.4%
CVE-2023-22580 npm HIGH PATCH This Week

Due to improper input filtering in the sequalize js library, can malicious queries lead to sensitive information disclosure. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Sequelize
NVD
CVSS 3.1
7.5
EPSS
0.6%
CVE-2023-22579 npm HIGH PATCH This Week

Due to improper parameter filtering in the sequalize js library, can a attacker peform injection. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Memory Corruption Code Injection Sequelize
NVD
CVSS 3.1
8.8
EPSS
0.8%
CVE-2023-22578 npm CRITICAL PATCH Act Now

Due to improper artibute filtering in the sequalize js library, can a attacker peform SQL injections. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection Sequelize
NVD
CVSS 3.1
9.8
EPSS
0.8%
CVE-2019-10749 npm CRITICAL POC PATCH Act Now

sequelize before version 3.35.1 allows attackers to perform a SQL Injection due to the JSON path keys not being properly sanitized in the Postgres dialect. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

SQLi PostgreSQL Sequelize
NVD GitHub
CVSS 3.1
9.8
EPSS
1.2%
CVE-2019-10748 npm CRITICAL POC PATCH Act Now

Sequelize all versions prior to 3.35.1, 4.44.3, and 5.8.11 are vulnerable to SQL Injection due to JSON path keys not being properly escaped for the MySQL/MariaDB dialects. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Sequelize
NVD GitHub
CVSS 3.1
9.8
EPSS
1.3%
CVE-2019-10752 npm CRITICAL POC PATCH Act Now

Sequelize, all versions prior to version 4.44.3 and 5.15.1, is vulnerable to SQL Injection due to sequelize.json() helper function not escaping values properly when formatting sub paths for JSON. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

SQLi Sequelize
NVD GitHub
CVSS 3.1
9.8
EPSS
1.5%
CVE-2019-11069 npm HIGH PATCH This Week

Sequelize version 5 before 5.3.0 does not properly ensure that standard conforming strings are used. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Sequelize
NVD GitHub
CVSS 3.0
7.5
EPSS
1.8%
CVE-2015-1369 npm HIGH POC PATCH This Week

SQL injection vulnerability in Sequelize before 2.0.0-rc7 for Node.js allows remote attackers to execute arbitrary SQL commands via the order parameter. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

SQLi Node.js Sequelize
NVD GitHub
CVSS 2.0
7.5
EPSS
0.4%
EPSS 0% CVSS 7.5
HIGH PATCH This Week

SQL injection in Sequelize prior to version 6.37.8 allows unauthenticated attackers to execute arbitrary SQL queries and extract sensitive data by manipulating JSON object keys in WHERE clause operations. The vulnerability stems from improper sanitization of cast type parameters in the _traverseJSON() function, which directly interpolates user-controlled input into CAST SQL statements. Node.js applications using affected Sequelize versions are at risk of complete database compromise.

Node.js SQLi Sequelize
NVD GitHub VulDB
EPSS 1% CVSS 9.8
CRITICAL POC PATCH Act Now

Sequelize is a Node.js ORM tool. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Node.js SQLi Sequelize
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Due to improper input filtering in the sequalize js library, can malicious queries lead to sensitive information disclosure. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Sequelize
NVD
EPSS 1% CVSS 8.8
HIGH PATCH This Week

Due to improper parameter filtering in the sequalize js library, can a attacker peform injection. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Memory Corruption Code Injection Sequelize
NVD
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

Due to improper artibute filtering in the sequalize js library, can a attacker peform SQL injections. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection Sequelize
NVD
EPSS 1% CVSS 9.8
CRITICAL POC PATCH Act Now

sequelize before version 3.35.1 allows attackers to perform a SQL Injection due to the JSON path keys not being properly sanitized in the Postgres dialect. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

SQLi PostgreSQL Sequelize
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL POC PATCH Act Now

Sequelize all versions prior to 3.35.1, 4.44.3, and 5.8.11 are vulnerable to SQL Injection due to JSON path keys not being properly escaped for the MySQL/MariaDB dialects. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Sequelize
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL POC PATCH Act Now

Sequelize, all versions prior to version 4.44.3 and 5.15.1, is vulnerable to SQL Injection due to sequelize.json() helper function not escaping values properly when formatting sub paths for JSON. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

SQLi Sequelize
NVD GitHub
EPSS 2% CVSS 7.5
HIGH PATCH This Week

Sequelize version 5 before 5.3.0 does not properly ensure that standard conforming strings are used. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Sequelize
NVD GitHub
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

SQL injection vulnerability in Sequelize before 2.0.0-rc7 for Node.js allows remote attackers to execute arbitrary SQL commands via the order parameter. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

SQLi Node.js Sequelize
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy