SQL Injection The advisory has been revoked - it doesn't affect any version of package sequelize Open this link in a new tab

Threat Intelligence

EPSS 0.18% (55^th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID npm:sequelize:20150517
published 1 Apr 2016
disclosed 17 May 2015
credit Unknown

Report a new vulnerability Found a mistake?

Introduced: 17 May 2015

CVE-2016-10553 Open this link in a new tab CWE-89 Open this link in a new tab

How to fix?

Upgrade to version 3.0.0 or greater.

Overview

Beginning with sequelize version 3.0.0, two security related changes were introduced:

findOne no longer takes a string / integer / binary argument to represent a primaryKey. Use findById instead.
where: "raw query" is no longer legal, you must now explicitly use where: ["raw query", [replacements]]

References

https://github.com/sequelize/sequelize/blob/master/changelog.md#300