CVE-2026-30951

Name of the Vulnerable Software and Affected Versions Sequelize versions prior to 6.37.8

Description Sequelize, a Node.js ORM tool, contains a SQL injection flaw due to unescaped cast type handling within JSON/JSONB where clause processing. The traverseJSON() function splits JSON path keys using '::' to determine a cast type, which is then directly incorporated into SQL queries using CAST(... AS <type>). An attacker controlling JSON object keys can inject arbitrary SQL code, potentially leading to data exfiltration from any table. The vulnerable component is the traverseJSON() function.

Recommendations Update to version 6.37.8 or later.