Vulnerability Description
Sequelize, all versions prior to version 4.44.3 and 5.15.1, is vulnerable to SQL Injection due to sequelize.json() helper function not escaping values properly when formatting sub paths for JSON queries for MySQL, MariaDB and SQLite.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Sequelizejs | Sequelize | >= 4.0.0, < 4.44.3 |
Related Weaknesses (CWE)
References
- https://github.com/sequelize/sequelize/commit/9bd0bc1%2C
- https://github.com/sequelize/sequelize/commit/9bd0bc111b6f502223edf7e902680f7cc2PatchThird Party Advisory
- https://snyk.io/vuln/SNYK-JS-SEQUELIZE-459751%2C
- https://snyk.io/vuln/SNYK-JS-SEQUELIZE-459751ExploitThird Party Advisory
- https://github.com/sequelize/sequelize/commit/9bd0bc1%2C
- https://github.com/sequelize/sequelize/commit/9bd0bc111b6f502223edf7e902680f7cc2PatchThird Party Advisory
- https://snyk.io/vuln/SNYK-JS-SEQUELIZE-459751%2C
FAQ
What is CVE-2019-10752?
CVE-2019-10752 is a vulnerability with a CVSS score of 9.8 (CRITICAL). Sequelize, all versions prior to version 4.44.3 and 5.15.1, is vulnerable to SQL Injection due to sequelize.json() helper function not escaping values properly when formatting sub paths for JSON queri...
How severe is CVE-2019-10752?
CVE-2019-10752 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2019-10752?
Check the references section above for vendor advisories and patch information. Affected products include: Sequelizejs Sequelize.