CVE-2023-25813

moderate-risk
Published 2023-02-22

Sequelize is a Node.js ORM tool. In versions prior to 6.19.1 a SQL injection exploit exists related to replacements. Parameters which are passed through replacements are not properly escaped which can lead to arbitrary SQL injection depending on the specific queries in use. The issue has been fixed in Sequelize 6.19.1. Users are advised to upgrade. Users unable to upgrade should not use the `replacements` and the `where` option in the same query.

Do I need to act?

~
3.5% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
+
Fix available
Upgrade to: 6c5f8ec550f75605814cf325c79d36ea4c98bc46
10
CVSS 10.0/10 Critical
NETWORK / LOW complexity

Affected Products (1)

Sequelize

Affected Vendors

Sequelizejs

References (8)

Patch https://github.com/sequelize/sequelize/commit/ccaa3996047fe00048d5993ab2dd43ebad...
Exploit https://github.com/sequelize/sequelize/issues/14519
Release Notes https://github.com/sequelize/sequelize/releases/tag/v6.19.1
Exploit https://github.com/sequelize/sequelize/security/advisories/GHSA-wrh9-cjv3-2hpw
Patch https://github.com/sequelize/sequelize/commit/ccaa3996047fe00048d5993ab2dd43ebad...
Exploit https://github.com/sequelize/sequelize/issues/14519
Release Notes https://github.com/sequelize/sequelize/releases/tag/v6.19.1
Exploit https://github.com/sequelize/sequelize/security/advisories/GHSA-wrh9-cjv3-2hpw
45
/ 100
moderate-risk
Severity 33/34 · Critical
Exploitability 7/34 · Low
Exposure 5/34 · Minimal