{
  "schema_version": "1.4.0",
  "id": "GHSA-wrh9-cjv3-2hpw",
  "modified": "2023-02-22T22:59:09Z",
  "published": "2023-02-22T22:59:09Z",
  "aliases": [
    "CVE-2023-25813"
  ],
  "summary": "Sequelize vulnerable to SQL Injection via replacements",
  "details": "### Impact\n\nThe SQL injection exploit is related to replacements. Here is such an example: \n\nIn the following query, some parameters are passed through replacements, and some are passed directly through the `where` option.\n\n```typescript\nUser.findAll({\n  where: or(\n    literal('soundex(\"firstName\") = soundex(:firstName)'),\n    { lastName: lastName },\n  ),\n  replacements: { firstName },\n})\n```\n\nThis is a very legitimate use case, but this query was vulnerable to SQL injection due to how Sequelize processed the query: Sequelize built a first query using the `where` option, then passed it over to `sequelize.query` which parsed the resulting SQL to inject all `:replacements`.\n\nIf the user passed values such as\n\n```json\n{\n  \"firstName\": \"OR true; DROP TABLE users;\",\n  \"lastName\": \":firstName\"\n}\n```\n\nSequelize would first generate this query:\n\n```sql\nSELECT * FROM users WHERE soundex(\"firstName\") = soundex(:firstName) OR \"lastName\" = ':firstName'\n```\n\nThen would inject replacements in it, which resulted in this:\n\n```sql\nSELECT * FROM users WHERE soundex(\"firstName\") = soundex('OR true; DROP TABLE users;') OR \"lastName\" = ''OR true; DROP TABLE users;''\n```\n\nAs you can see this resulted in arbitrary user-provided SQL being executed.\n\n### Patches\n\nThe issue was fixed in Sequelize 6.19.1\n\n### Workarounds\n\nDo not use the `replacements` and the `where` option in the same query if you are not using Sequelize >= 6.19.1 \n\n### References\n\nSee this thread for more information: https://github.com/sequelize/sequelize/issues/14519\n\nSnyk: https://security.snyk.io/vuln/SNYK-JS-SEQUELIZE-2932027",
  "severity": [
    {
      "type": "CVSS_V3",
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"
    }
  ],
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "sequelize"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.19.1"
            }
          ]
        }
      ]
    }
  ],
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/sequelize/sequelize/security/advisories/GHSA-wrh9-cjv3-2hpw"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25813"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sequelize/sequelize/issues/14519"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sequelize/sequelize/commit/ccaa3996047fe00048d5993ab2dd43ebadd4f78b"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/sequelize/sequelize"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sequelize/sequelize/releases/tag/v6.19.1"
    },
    {
      "type": "WEB",
      "url": "https://security.snyk.io/vuln/SNYK-JS-SEQUELIZE-2932027"
    }
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-89"
    ],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2023-02-22T22:59:09Z",
    "nvd_published_at": "2023-02-22T19:15:00Z"
  }
}