PT-2023-18563 · Sequelize+1 · Sequelize+1
Frank Breedijk
+3
·
Published
2023-02-16
·
Updated
2023-04-28
·
CVE-2023-22579
CVSS v3.1
9.9
Critical
| Vector | AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Sequelize versions prior to 6.28.1
Sequelize Core versions prior to 7.0.0.alpha-20
Description
The issue is due to improper parameter filtering in the Sequelize JS library, which can allow an attacker to perform injection. Providing an invalid value to the
where option of a query caused Sequelize to ignore that option instead of throwing an error. This only happens at the top level of the where option, typically used with plain JavaScript objects.Recommendations
For Sequelize versions prior to 6.28.1, update to version 6.28.1 or later to resolve the issue.
For Sequelize Core versions prior to 7.0.0.alpha-20, update to version 7.0.0.alpha-20 or later to resolve the issue.
As a temporary workaround, consider validating and sanitizing user input to prevent malicious data from being passed to the
where option.Fix
Type Confusion
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Sequelize
Sequelize Core