Javascript Sequelize Unsafe Empty Password
Description
This detector identifies unsafe Sequelize database configurations where empty or missing passwords are used in connection strings. Empty passwords in database connections create significant security risks by allowing unauthorized access to databases, potentially exposing sensitive data and enabling attackers to modify or delete critical information.
Detection Strategy
• The detector first verifies that the JavaScript file imports or uses the 'sequelize' module
• It then examines Sequelize constructor calls and configuration objects throughout the codebase
• A vulnerability is reported when a Sequelize connection is configured with an empty string password, null password, undefined password, or missing password field entirely
• The detector specifically looks for database connection configurations where authentication credentials are improperly set, focusing on password-related security misconfigurations
Vulnerable code example
const { Sequelize } = require('sequelize');
// VULNERABLE: Sequelize with null password allows unauthorized DB access
const sequelize = new Sequelize(
"database",
"user",
null, // Vulnerable: null password
{...✅ Secure code example
const { Sequelize } = require('sequelize');
// SECURE: Use environment variables for database credentials
const sequelize = new Sequelize(
process.env.DB_NAME || "database",
process.env.DB_USER || "user",
process.env.DB_PASSWORD, // Safe: password from environment variable
{...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.