SQL Injection via replacements in sequelize
CVE-2023-25813

10CRITICAL

Key Information:

Vendor

Sequelize

Status
Sequelize
Vendor
CVE Published:
22 February 2023

Badges

👾 Exploit Exists

What is CVE-2023-25813?

Sequelize, a popular ORM tool for Node.js, contains a SQL injection vulnerability in versions prior to 6.19.1. This issue arises from the improper handling of parameters passed through replacements, allowing attackers to execute arbitrary SQL queries. It is crucial for users to upgrade to version 6.19.1 or later to safeguard against potential exploitation. For those unable to upgrade, it is advised not to use the 'replacements' and 'where' options together in queries to mitigate risk.

Affected Version(s)

sequelize < 6.19.1

References

https://github.com/sequelize/sequelize/security/advisorie...
x_refsource_CONFIRM
https://github.com/sequelize/sequelize/issues/14519
x_refsource_MISC
https://github.com/sequelize/sequelize/commit/ccaa3996047...
x_refsource_MISC

CVSS V3.1

Score:
10
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

.