sequelize@1.7.0-alpha2 vulnerabilities

Sequelize is a promise-based Node.js ORM tool for Postgres, MySQL, MariaDB, SQLite, Microsoft SQL Server, Amazon Redshift and Snowflake’s Data Cloud. It features solid transaction support, relations, eager and lazy loading, read replication and more.

Direct Vulnerabilities

Known vulnerabilities in the sequelize package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Access of Resource Using Incompatible Type ('Type Confusion')

sequelize is a promise-based Node.js ORM for Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server.

Affected versions of this package are vulnerable to Access of Resource Using Incompatible Type ('Type Confusion') due to improper user-input sanitization, due to unsafe fall-through in GET WHERE conditions.

How to fix Access of Resource Using Incompatible Type ('Type Confusion')?

Upgrade sequelize to version 6.28.1 or higher.

<6.28.1
  • M
Information Exposure

sequelize is a promise-based Node.js ORM for Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server.

Affected versions of this package are vulnerable to Information Exposure due to improper user-input, by allowing an attacker to create malicious queries leading to SQL errors.

How to fix Information Exposure?

Upgrade sequelize to version 6.28.1 or higher.

<6.28.1
  • H
Improper Filtering of Special Elements

sequelize is a promise-based Node.js ORM for Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server.

Affected versions of this package are vulnerable to Improper Filtering of Special Elements due to attributes not being escaped if they included ( and ), or were equal to * and were split if they included the character ..

How to fix Improper Filtering of Special Elements?

Upgrade sequelize to version 6.29.0 or higher.

<6.29.0
  • H
SQL Injection

sequelize is a promise-based Node.js ORM for Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server.

Affected versions of this package are vulnerable to SQL Injection due to an improper escaping for multiple appearances of $ in a string.

How to fix SQL Injection?

Upgrade sequelize to version 6.21.2 or higher.

<6.21.2
  • C
SQL Injection

sequelize is a promise-based Node.js ORM for Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server.

Affected versions of this package are vulnerable to SQL Injection via the replacements statement. It allowed a malicious actor to pass dangerous values such as OR true; DROP TABLE users through replacements which would result in arbitrary SQL execution.

How to fix SQL Injection?

Upgrade sequelize to version 6.19.1 or higher.

<6.19.1
  • M
Denial of Service (DoS)

sequelize is a promise-based Node.js ORM for Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server.

Affected versions of this package are vulnerable to Denial of Service (DoS). The afterResults function for the SQLite dialect fails to catch a TypeError exception for the results variable. This allows attackers to submit malicious input that forces the exception and crashes the Node process.

How to fix Denial of Service (DoS)?

Upgrade sequelize to version 4.44.4 or higher.

<4.44.4
  • H
SQL Injection

sequelize is a promise-based Node.js ORM for Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server.

Affected versions of this package are vulnerable to SQL Injection due to JSON path keys not being properly sanitized in the Postgres dialect.

How to fix SQL Injection?

Upgrade sequelize to version 3.35.1 or higher.

<3.35.1
  • H
Hash Injection

sequelize is a promise-based Node.js ORM for Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server.

Affected versions of this package are vulnerable to Hash Injection. Using specially crafted requests an attacker can bypass secret_token protections on websites using sequalize.

For example:

db.Token.findOne({
      where: {
        token: req.query.token
      }
);

Node.js and other platforms allow nested parameters, i.e. token[$gt]=1 will be transformed into token = {"$gt":1}. When such a hash is passed into sequalize it will consider it a query (greater than 1) and find the first token in the DB, bypassing security of this endpoint.

How to fix Hash Injection?

Upgrade sequelize to version 4.12.0 or higher.

<4.12.0
  • M
SQL Injection

sequelize is a multi dialect ORM for Node.JS/io.js. Affected versions of the package are vulnerable to SQL Injection via the user search by typing the name they want to search for and the application then executes:

User.findAll( { where: { name: req.body.name } } )

a malicious attacker may exploit this to find the users password by entering $password$. This could be avoided by specifying the exact column to search: the user column.

How to fix SQL Injection?

Upgrade sequelize to version 3.12.1 or higher.

<3.12.1
  • M
SQL Injection

sequelize versions prior to 1.7.0-alpha3 are vulnerable to SQL Injection attacks if untrusted user input is passed into the order parameter.

How to fix SQL Injection?

Upgrade to version 1.7.0-alpha3 or greater.

>=0.2.2 <1.7.0-alpha3
  • M
SQL Injection

sequelize versions prior to 1.7.0-alpha3 are vulnerable to SQL Injection attacks if untrusted user input is passed into the order parameter.

How to fix SQL Injection?

Upgrade to version 1.7.0-alpha3 or greater.

>=0.2.2 <1.7.0-alpha3
  • M
Remote Memory Exposure

A potential memory disclosure vulnerability exists in sequelize versions prior to 3.17.2. A field of type DataTypes.BLOB can be used to expose sensitive information such as code, runtime memory and user data into the database.

Details

sequelize uses the Buffer type to represent DataTypes.BLOB. Initializing a Buffer with integer N creates a Buffer of length N with non zero-ed out memory. Example:

var x = new Buffer(100); // uninitialized Buffer of length 100
// vs
var x = new Buffer('100'); // initialized Buffer with value of '100'

Initializing a BLOB field in such manner will dump uninitialized memory into the database. The patch wraps Buffer field initialization in sequelize by converting a number value N to a string, initializing the Buffer with N in its ascii form.

#

Proof of concept

var Sequelize = require('sequelize');
var sequelize = new Sequelize('pastebin', null, null,
    { host: '127.0.0.1', dialect: 'postgres', });

var Task = sequelize.define('Pastebin', {
    title: Sequelize.STRING,
    content: Sequelize.BLOB,
  });

Task.create({
  title: 'title',
  content: 100,
}).then(function (task) {
  console.log(task.title);
  console.log(task.content); // will print out 100 bytes of previously used memory
});

How to fix Remote Memory Exposure?

Upgrade sequelize to version >= 3.17.3

<3.17.2
  • M
Remote Memory Exposure

A potential memory disclosure vulnerability exists in sequelize versions prior to 3.17.2. A field of type DataTypes.BLOB can be used to expose sensitive information such as code, runtime memory and user data into the database.

Details

sequelize uses the Buffer type to represent DataTypes.BLOB. Initializing a Buffer with integer N creates a Buffer of length N with non zero-ed out memory. Example:

var x = new Buffer(100); // uninitialized Buffer of length 100
// vs
var x = new Buffer('100'); // initialized Buffer with value of '100'

Initializing a BLOB field in such manner will dump uninitialized memory into the database. The patch wraps Buffer field initialization in sequelize by converting a number value N to a string, initializing the Buffer with N in its ascii form.

#

Proof of concept

var Sequelize = require('sequelize');
var sequelize = new Sequelize('pastebin', null, null,
    { host: '127.0.0.1', dialect: 'postgres', });

var Task = sequelize.define('Pastebin', {
    title: Sequelize.STRING,
    content: Sequelize.BLOB,
  });

Task.create({
  title: 'title',
  content: 100,
}).then(function (task) {
  console.log(task.title);
  console.log(task.content); // will print out 100 bytes of previously used memory
});

How to fix Remote Memory Exposure?

Upgrade sequelize to version >= 3.17.3

<3.17.2
  • M
SQL Injection

sequelize versions prior to 3.20.0 improperly escape arrays of strings bound to named parameters.

How to fix SQL Injection?

Upgrade to version 3.20.0 or greater.

<3.20.0
  • M
SQL Injection

sequelize versions prior to 3.20.0 improperly escape arrays of strings bound to named parameters.

How to fix SQL Injection?

Upgrade to version 3.20.0 or greater.

<3.20.0
  • H
SQL Injection

sequelize versions prior to 2.0.0-rc7 are vulnerable to SQL Injection attacks if untrusted user input is passed into the order parameter.

How to fix SQL Injection?

Upgrade to version 2.0.0-rc8 or greater.

<2.0.0-rc8
  • H
SQL Injection

sequelize versions prior to 2.0.0-rc7 are vulnerable to SQL Injection attacks if untrusted user input is passed into the order parameter.

How to fix SQL Injection?

Upgrade to version 2.0.0-rc8 or greater.

<2.0.0-rc8