QwikSec

Security Database

CVE

CWE

Training

CVE-2023-25813

Published: Feb 22, 2023

Modified: Mar 10, 2025

PUBLISHED

CVSS v3.1

10.0

CRITICAL

Description

Sequelize is a Node.js ORM tool. In versions prior to 6.19.1 a SQL injection exploit exists related to replacements. Parameters which are passed through replacements are not properly escaped which can lead to arbitrary SQL injection depending on the specific queries in use. The issue has been fixed in Sequelize 6.19.1. Users are advised to upgrade. Users unable to upgrade should not use the `replacements` and the `where` option in the same query.

Vendor	Product	Versions
sequelize	sequelize	affected `< 6.19.1`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

References

https://github.com/sequelize/sequelize/security/advisories/GHSA-wrh9-cjv3-2hpw

x_refsource_CONFIRM

https://github.com/sequelize/sequelize/issues/14519

x_refsource_MISC

https://github.com/sequelize/sequelize/commit/ccaa3996047fe00048d5993ab2dd43ebadd4f78b

x_refsource_MISC

https://github.com/sequelize/sequelize/releases/tag/v6.19.1

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.