Version 6.37.5

sequelize

Feature-rich ORM for modern Node.js and TypeScript, it supports PostgreSQL (with JSON and JSONB support), MySQL, MariaDB, SQLite, MS SQL Server, Snowflake, Oracle DB (v6), DB2 and DB2 for IBM i.

Install Instructions

npm install sequelize

Current Version Release Date October 25, 2024

Language JavaScript/TypeScript

Package URL (purl) pkg:npm/sequelize@6.37.5

Links and Resources

Declared License

MIT

GitHub Stars

29,622

Size

62,576 KB

Find sequelize vulnerabilities in your supply chain.

sequelize Vulnerabilities

Sort by

CVE (Latest)

CVE (Latest)
CVE (Oldest)
CVSS Score (Highest)
CVSS Score (Lowest)

CVE	CVSS Score	CWE(s)	EPSS Score	EPSS %	Impacted Versions
CVE-2016-1000225	High 9.8	CWE-89	None	None	3.4.0–3.23.5
CVE-2016-10550	High 9.8	CWE-89	0.00225	0.61514	3.0.0–3.16.0 2.0.0–2.1.3 1.0.0–1.7.11 0.0.0-development–0.4.3
CVE-2016-10556	High 7.5	CWE-89	0.00102	0.43183	3.0.0–3.19.3 2.0.0–2.1.3 1.0.0–1.7.11 0.0.0-development–0.4.3
CVE-2019-10748	High 9.8	CWE-89	0.00224	0.61404	5.0.0-0–5.8.10 4.0.0–4.44.2 3.0.0–3.35.0 2.0.0–2.1.3 1.0.0–1.7.11 0.0.0-development–0.4.3
CVE-2019-10749	High 9.8	CWE-89	0.00194	0.58087	3.0.0–3.35.0 2.0.0–2.1.3 1.0.0–1.7.11 0.0.0-development–0.4.3
CVE-2019-10752	High 9.8	CWE-89	0.00273	0.68755	5.0.0-0–5.15.0 4.0.0–4.44.2 3.0.0–3.35.1 2.0.0–2.1.3 1.0.0–1.7.11 0.0.0-development–0.4.3
CVE-2023-22578	High 9.8	CWE-790	0.0018	0.56336	6.0.0-beta.1–6.28.2 5.0.0-0–5.22.5 4.0.0–4.44.4 3.0.0–3.35.1 2.0.0–2.1.3 1.0.0–1.7.11 0.0.0-development–0.4.3
CVE-2023-22579	High 8.8	CWE-843	0.00107	0.44799	6.0.0-beta.1–6.28.0 5.0.0-0–5.22.5 4.0.0–4.44.4 3.0.0–3.35.1 2.0.0–2.1.3 1.0.0–1.7.11 0.0.0-development–0.4.3
CVE-2023-22580	High 7.5	CWE-200	0.00121	0.47828	6.0.0-beta.1–6.28.0 5.0.0-0–5.22.5 4.0.0–4.44.4 3.0.0–3.35.1 2.0.0–2.1.3 1.0.0–1.7.11 0.0.0-development–0.4.3
CVE-2023-25813	High 9.8	CWE-89	0.00128	0.4906	6.0.0-beta.1–6.19.0 5.0.0-0–5.22.5 4.0.0–4.44.4 3.0.0–3.35.1 2.0.0–2.1.3 1.0.0–1.7.11 0.0.0-development–0.4.3
CVE-2015-1369	High 7.5	CWE-89	0.00219	0.60667	2.0.0-rc1–2.0.0-beta.8 1.0.0–1.7.11 0.0.0-development–0.4.3
CVE-2016-10553	High 9.8	CWE-89	0.00181	0.56414	2.0.0–2.1.3 1.0.0–1.7.11 0.0.0-development–0.4.3
CVE-2016-10554	High 9.8	CWE-89	0.00225	0.61514	1.0.0–1.7.0-alpha2 0.2.2–0.4.3
CVE-2019-11069	High 7.5	CWE-20	0.00204	0.59147	5.0.0-0–5.2.15

sequelize Vulnerability Remediation Guidance

CVE	Description	Full list of Impacted Versions	Fix
CVE-2023-25813	Sequelize is a Node.js ORM tool. In versions prior to 6.19.1 a SQL injection exploit exists related to replacements. Parameters which are passed through replacements are not properly escaped which can lead to arbitrary SQL injection depending on the specific queries in use. The issue has been fixed in Sequelize 6.19.1. Users are advised to upgrade. Users unable to upgrade should not use the `replacements` and the `where` option in the same query.	3.14.2, 5.8.10, 4.30.0, 4.29.1, 4.28.6, 4.28.5, 4.28.2, 4.25.2 (Show all)	Major → 6.29.0
CVE-2023-22580	Due to improper input filtering in the sequalize js library, can malicious queries lead to sensitive information disclosure.	3.14.2, 5.8.10, 4.30.0, 4.29.1, 4.28.6, 4.28.5, 4.28.2, 4.25.2 (Show all)	Major → 6.29.0
CVE-2023-22579	Due to improper parameter filtering in the sequalize js library, can a attacker peform injection.	3.14.2, 5.8.10, 4.30.0, 4.29.1, 4.28.6, 4.28.5, 4.28.2, 4.25.2 (Show all)	Major → 6.29.0
CVE-2023-22578	Due to improper artibute filtering in the sequalize js library, can a attacker peform SQL injections.	3.14.2, 5.8.10, 4.30.0, 4.29.1, 4.28.6, 4.28.5, 4.28.2, 4.25.2 (Show all)	Major → 6.29.0
CVE-2019-11069	Sequelize version 5 before 5.3.0 does not properly ensure that standard conforming strings are used.	5.0.0-0, 5.2.2, 5.2.9, 5.2.8, 5.2.7, 5.2.6, 5.2.0, 5.1.1 (Show all)	Major → 6.29.0
CVE-2019-10752	Sequelize, all versions prior to version 4.44.3 and 5.15.1, is vulnerable to SQL Injection due to sequelize.json() helper function not escaping values properly when formatting sub paths for JSON queries for MySQL, MariaDB and SQLite.	3.14.2, 5.8.10, 4.30.0, 4.29.1, 4.28.6, 4.28.5, 4.28.2, 4.25.2 (Show all)	Major → 6.29.0
CVE-2019-10749	sequelize before version 3.35.1 allows attackers to perform a SQL Injection due to the JSON path keys not being properly sanitized in the Postgres dialect.	3.14.2, 3.33.0, 3.31.2, 3.23.0, 3.20.0, 3.19.2, 3.30.2, 3.23.6 (Show all)	Major → 6.29.0
CVE-2019-10748	Sequelize all versions prior to 3.35.1, 4.44.3, and 5.8.11 are vulnerable to SQL Injection due to JSON path keys not being properly escaped for the MySQL/MariaDB dialects.	3.14.2, 5.8.10, 4.30.0, 4.29.1, 4.28.6, 4.28.5, 4.28.2, 4.25.2 (Show all)	Major → 6.29.0
CVE-2016-10556	sequelize is an Object-relational mapping, or a middleman to convert things from Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server into usable data for NodeJS In Postgres, SQLite, and Microsoft SQL Server there is an issue where arrays are treated as strings and improperly escaped. This causes potential SQL injection in sequelize 3.19.3 and earlier, where a malicious user could put `["test", "'); DELETE TestTable WHERE Id = 1 --')"]` inside of ``` database.query('SELECT * FROM TestTable WHERE Name IN (:names)', { replacements: { names: directCopyOfUserInput } }); ``` and cause the SQL statement to become `SELECT Id FROM Table WHERE Name IN ('test', '\'); DELETE TestTable WHERE Id = 1 --')`. In Postgres, MSSQL, and SQLite, the backslash has no special meaning. This causes the the statement to delete whichever Id has a value of 1 in the TestTable table.	3.14.2, 3.19.2, 3.17.2, 3.14.1, 3.17.0, 3.13.0, 3.7.1, 3.8.0 (Show all)	Major → 6.29.0
CVE-2016-10554	sequelize is an Object-relational mapping, or a middleman to convert things from Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server into usable data for NodeJS. Before version 1.7.0-alpha3, sequelize defaulted SQLite to use MySQL backslash escaping, even though SQLite uses Postgres escaping.	1.5.0-beta, 1.1.4, 1.0.0, 0.2.3, 1.6.0-alpha-3, 1.4.0, 1.5.0, 1.7.0-alpha1 (Show all)	Minor → 6.29.0
CVE-2016-10553	sequelize is an Object-relational mapping, or a middleman to convert things from Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server into usable data for NodeJS. A fix was pushed out that fixed potential SQL injection in sequelize 2.1.3 and earlier.	2.0.0-beta.1, 2.0.0-beta.3, 2.0.5, 2.0.0-dev7, 2.0.0-dev6, 2.0.0-dev3, 2.0.0-alpha3, 1.7.7 (Show all)	Major → 6.29.0
CVE-2016-10550	sequelize is an Object-relational mapping, or a middleman to convert things from Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server into usable data for NodeJS If user input goes into the `limit` or `order` parameters, a malicious user can put in their own SQL statements. This affects sequelize 3.16.0 and earlier.	3.14.2, 3.14.1, 3.13.0, 3.7.1, 3.8.0, 2.0.0-beta.1, 2.0.0-beta.3, 2.0.5 (Show all)	Major → 6.29.0
CVE-2016-1000225	SequelizeJS 3.23.4 is vulnerable to SQL injection via GeoJSON documents containing a value with a single quote. This vulnerability affects postresql/postgis as well as MySQL. This vulnerability only exists within GeoJSON documents using the function `ST_GeomFromGeoJSON` for postgresql/postgis and the function `GeomFromText` for mysql. SequelizeJS's `geometry` datatype is vulnerable. If you have SequelizeJS models with a field that has a datatype of 'Geometry' and run a mysql or postgresql/postgis backend, your application is vulnerable SequelizeJS is a popular ORM (Object Relational Mapper) for node. GeoJSON is a format for encoding a variety of geographic data structures.	3.14.2, 3.23.0, 3.20.0, 3.19.2, 3.17.2, 3.14.1, 3.17.0, 3.13.0 (Show all)	Major → 6.29.0
CVE-2015-1369	SQL injection vulnerability in Sequelize before 2.0.0-rc7 for Node.js allows remote attackers to execute arbitrary SQL commands via the order parameter.	2.0.0-beta.1, 2.0.0-beta.3, 2.0.0-alpha3, 1.7.7, 1.7.2, 1.7.0-rc7, 1.7.0-rc6, 1.7.0-rc5 (Show all)	Major → 6.29.0

Instantly see if these sequelize vulnerabilities affect your code.