sequelize
npm13 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting sequelizepage 1 of 1
- CVE-2015-1369NONECVSS 0.0✓ Fixed in 2.0.0-rc82015-01-27
SQL injection vulnerability in Sequelize before 2.0.0-rc7 for Node.js allows remote attackers to execute arbitrary SQL commands via the order parameter.
- CVE-2016-10550CRITICALCVSS 9.8✓ Fixed in 3.17.02018-05-31
sequelize is an Object-relational mapping, or a middleman to convert things from Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server into usable data for NodeJS If user input goes into the `limit` or `order` parameters, a malicious u…
- CVE-2016-10553CRITICALCVSS 9.8✓ Fixed in 3.0.02018-05-31
sequelize is an Object-relational mapping, or a middleman to convert things from Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server into usable data for NodeJS. A fix was pushed out that fixed potential SQL injection in sequelize 2.…
- CVE-2016-10554CRITICALCVSS 9.8✓ Fixed in 1.7.02018-05-31
sequelize is an Object-relational mapping, or a middleman to convert things from Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server into usable data for NodeJS. Before version 1.7.0-alpha3, sequelize defaulted SQLite to use MySQL ba…
- CVE-2016-10556HIGHCVSS 7.5✓ Fixed in 3.20.02018-05-29
sequelize is an Object-relational mapping, or a middleman to convert things from Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server into usable data for NodeJS In Postgres, SQLite, and Microsoft SQL Server there is an issue where ar…
- CVE-2019-10748CRITICALCVSS 9.8EG 9.8✓ Fixed in 5.8.112019-10-29
Sequelize all versions prior to 3.35.1, 4.44.3, and 5.8.11 are vulnerable to SQL Injection due to JSON path keys not being properly escaped for the MySQL/MariaDB dialects.
- CVE-2019-10749CRITICALCVSS 9.8EG 9.8✓ Fixed in 3.35.12019-10-29
sequelize before version 3.35.1 allows attackers to perform a SQL Injection due to the JSON path keys not being properly sanitized in the Postgres dialect.
- CVE-2019-10752CRITICALCVSS 9.8EG 9.8✓ Fixed in 5.15.12019-10-17
Sequelize, all versions prior to version 4.44.3 and 5.15.1, is vulnerable to SQL Injection due to sequelize.json() helper function not escaping values properly when formatting sub paths for JSON queries for MySQL, MariaDB and SQLite.
- CVE-2019-11069HIGHCVSS 7.5✓ Fixed in 5.3.02019-04-10
Sequelize version 5 before 5.3.0 does not properly ensure that standard conforming strings are used.
- CVE-2023-22578CRITICALCVSS 10.0EG 10.0✓ Fixed in 6.29.02023-02-16
Due to improper artibute filtering in the sequalize js library, can a attacker peform SQL injections.
- CVE-2023-22579CRITICALCVSS 9.9EG 9.9✓ Fixed in 6.28.12023-02-16
Due to improper parameter filtering in the sequalize js library, can a attacker peform injection.
- CVE-2023-22580MEDIUMCVSS 5.3EG 5.3✓ Fixed in 6.28.12023-02-16
Due to improper input filtering in the sequalize js library, can malicious queries lead to sensitive information disclosure.
- CVE-2023-25813CRITICALCVSS 10.0EG 10.0✓ Fixed in 6.19.12023-02-22
Sequelize is a Node.js ORM tool. In versions prior to 6.19.1 a SQL injection exploit exists related to replacements. Parameters which are passed through replacements are not properly escaped which can lead to arbitrary SQL injection depend…
Check whether sequelize is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for sequelize CVEs against the assets you own.
Start Free Scan →