CVE-2019-10752

Sequelize, all versions prior to version 4.44.3 and 5.15.1, is vulnerable to SQL Injection due to sequelize.json() helper function not escaping values properly when formatting sub paths for JSON queries for MySQL, MariaDB and SQLite.

Published: Oct 17, 2019
Updated: Nov 8, 2023
CVE: CVE-2019-10752
GHSA: GHSA-m9jw-237r-gvfv
Severity: Critical
Exploit:

CVSS v3:

Severity: Critical
Score: 9.8
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: High
Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P

CWEs:

CWE-89

OWASP TOP 10:

A1 - Injection

Affected Software
References

Software	From	Fixed in
sequelizejs / sequelize	5.0.0	5.15.1
sequelizejs / sequelize	4.0.0	4.44.3
sequelize	-	4.44.3
sequelize	5.0.0	5.15.1

https://github.com/sequelize/sequelize/commit/9bd0bc1,
https://github.com/sequelize/sequelize/commit/9bd0bc1%2C
https://github.com/sequelize/sequelize/commit/9bd0bc111b6f502223edf7e902680f7cc2ed541e
https://github.com/sequelize/sequelize/pull/11329
https://snyk.io/vuln/SNYK-JS-SEQUELIZE-459751
https://snyk.io/vuln/SNYK-JS-SEQUELIZE-459751,
https://snyk.io/vuln/SNYK-JS-SEQUELIZE-459751%2C
https://www.npmjs.com/advisories/1146

Vulnerability Database

CVE-2019-10752