CVE-2023-22579

Name of the Vulnerable Software and Affected Versions Sequelize versions prior to 6.28.1 Sequelize Core versions prior to 7.0.0.alpha-20

Description The issue is due to improper parameter filtering in the Sequelize JS library, which can allow an attacker to perform injection. Providing an invalid value to the where option of a query caused Sequelize to ignore that option instead of throwing an error. This only happens at the top level of the where option, typically used with plain JavaScript objects.

Recommendations For Sequelize versions prior to 6.28.1, update to version 6.28.1 or later to resolve the issue. For Sequelize Core versions prior to 7.0.0.alpha-20, update to version 7.0.0.alpha-20 or later to resolve the issue. As a temporary workaround, consider validating and sanitizing user input to prevent malicious data from being passed to the where option.