Sequelize ORM SQL Injection Vulnerabilities and Affected Versions
The article outlines several SQL injection vulnerabilities discovered in various Sequelize ORM versions, explains the underlying causes related to improper JSON path key handling for MySQL, MariaDB, Postgres, and SQLite, provides reproduction screenshots, and strongly advises upgrading to patched releases.
Sequelize is a widely used ORM for Node.js, but several SQL injection vulnerabilities have been identified in multiple versions.
Vulnerability 1: https://snyk.io/vuln/SNYK-JS-SEQUELIZE-450221 Affected versions: >=3.0.0 < 3.35.1 || >=4.0.0 < 4.44.3 || >=5.0.0 < 5.8.11 Cause: Improper escaping of JSON path keys for MySQL/MariaDB. Reproduction screenshot:
Vulnerability 2: https://snyk.io/vuln/SNYK-JS-SEQUELIZE-450222 Affected versions: < 3.35.1 Cause: Improper handling of JSON path keys for Postgres. Reproduction screenshot:
Vulnerability 3: https://snyk.io/vuln/SNYK-JS-SEQUELIZE-459751 Affected versions: >=4.0.0 < 4.44.3 || >=5.0.0 < 5.15.1 Cause: The sequelize.json() method fails to escape JSON sub‑paths for MySQL, MariaDB, and SQLite. Reproduction screenshot:
All of these vulnerabilities have been fixed in newer Sequelize releases; users are strongly encouraged to upgrade to the latest version as soon as possible.
System Architect Go
Programming, architecture, application development, message queues, middleware, databases, containerization, big data, image processing, machine learning, AI, personal growth.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.