logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2023-25813 sequelize

Package

Manager: npm
Name: sequelize
Vulnerable Version: >=0 <6.19.1

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

EPSS: 0.05191 pctl0.89526

Details

Sequelize vulnerable to SQL Injection via replacements ### Impact The SQL injection exploit is related to replacements. Here is such an example: In the following query, some parameters are passed through replacements, and some are passed directly through the `where` option. ```typescript User.findAll({ where: or( literal('soundex("firstName") = soundex(:firstName)'), { lastName: lastName }, ), replacements: { firstName }, }) ``` This is a very legitimate use case, but this query was vulnerable to SQL injection due to how Sequelize processed the query: Sequelize built a first query using the `where` option, then passed it over to `sequelize.query` which parsed the resulting SQL to inject all `:replacements`. If the user passed values such as ```json { "firstName": "OR true; DROP TABLE users;", "lastName": ":firstName" } ``` Sequelize would first generate this query: ```sql SELECT * FROM users WHERE soundex("firstName") = soundex(:firstName) OR "lastName" = ':firstName' ``` Then would inject replacements in it, which resulted in this: ```sql SELECT * FROM users WHERE soundex("firstName") = soundex('OR true; DROP TABLE users;') OR "lastName" = ''OR true; DROP TABLE users;'' ``` As you can see this resulted in arbitrary user-provided SQL being executed. ### Patches The issue was fixed in Sequelize 6.19.1 ### Workarounds Do not use the `replacements` and the `where` option in the same query if you are not using Sequelize >= 6.19.1 ### References See this thread for more information: https://github.com/sequelize/sequelize/issues/14519 Snyk: https://security.snyk.io/vuln/SNYK-JS-SEQUELIZE-2932027

Metadata

Created: 2023-02-22T22:59:09Z
Modified: 2023-02-22T22:59:09Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-wrh9-cjv3-2hpw/GHSA-wrh9-cjv3-2hpw.json
CWE IDs: ["CWE-89"]
Alternative ID: GHSA-wrh9-cjv3-2hpw
Finding: F297
Auto approve: 1