CVE-2023-25813

Name of the Vulnerable Software and Affected Versions Sequelize versions prior to 6.19.1

Description The issue is related to SQL injection due to improper escaping of parameters passed through replacements. This can lead to arbitrary SQL injection depending on the specific queries in use. For example, in a query where some parameters are passed through replacements and some are passed directly through the where option, an attacker could inject malicious SQL code by providing specially crafted input, such as OR true; DROP TABLE users;. The estimated number of potentially affected devices worldwide is not available.

Recommendations For Sequelize versions prior to 6.19.1, upgrade to version 6.19.1 or later to fix the issue. As a temporary workaround for users unable to upgrade, do not use the replacements and the where option in the same query.