CVE-2023-22578

Name of the Vulnerable Software and Affected Versions Sequelize versions prior to 6.29.0 Sequelize versions prior to 7.0.0.alpha-20

Description The issue is due to improper attribute filtering in the Sequelize JS library, allowing an attacker to perform SQL injections. This can be exploited when using parentheses in the attribute option, causing Sequelize to use the string as-is in the SQL. For example, using the attributes option with a value like ['count(id)', 'count'] can lead to SQL injection. The estimated number of potentially affected devices is not provided.

Recommendations For Sequelize versions prior to 6.29.0, update to version 6.29.0 or later to patch the issue. For Sequelize versions prior to 7.0.0.alpha-20, update to version 7.0.0.alpha-20 or later to patch the issue. As a temporary workaround, do not use user-provided content to build your list of attributes. If you do, make sure that the attribute in question actually exists on your model by checking that it exists in the rawAttributes property of your model first.