Leibale

Name of the Vulnerable Software and Affected Versions: Node-redis versions prior to 3.1.1 Description: The issue is related to the regex used to detect monitor messages when a client is in monitoring mode, which could cause exponential backtracking on some strings, leading to a denial of service. Recommendations: For versions prior to 3.1.1, update to version 3.1.1 to resolve the issue. As a temporary workaround, consider disabling the monitoring mode until a patch is available.

**Name of the Vulnerable Software and Affected Versions** sequelize versions 3.19.3 and earlier **Description** The issue is related to how arrays are treated as strings and improperly escaped in Postgres, SQLite, and Microsoft SQL Server, leading to potential SQL injection. A malicious user could exploit this by inputting a specially crafted array, such as `["test", "'); DELETE TestTable WHERE Id = 1 --')"]`, into a query like `database.query('SELECT * FROM TestTable WHERE Name IN (:names)', { replacements: { names: directCopyOfUserInput } });`. This could result in the SQL statement becoming `SELECT Id FROM Table WHERE Name IN ('test', ''); DELETE TestTable WHERE Id = 1 --')`, which, due to the backslash having no special meaning in the mentioned databases, could lead to the deletion of a record in the TestTable with an Id of 1. **Recommendations** Update to version 3.20.0 or later. As a temporary workaround, consider validating and sanitizing user input to prevent malicious data from being injected into SQL queries. Restrict access to sensitive database operations to minimize the risk of exploitation.