CVE-2016-10556

NONE EPSS 67.9%
Published May 29, 20188y ago · Modified Jun 17, 20262w ago
Find Similar
Published May 29, 2018 8y ago
Last Modified Jun 17, 2026 2w ago

Description

sequelize is an Object-relational mapping, or a middleman to convert things from Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server into usable data for NodeJS In Postgres, SQLite, and Microsoft SQL Server there is an issue where arrays are treated as strings and improperly escaped. This causes potential SQL injection in sequelize 3.19.3 and earlier, where a malicious user could put `["test", "'); DELETE TestTable WHERE Id = 1 --')"]` inside of ``` database.query('SELECT * FROM TestTable WHERE Name IN (:names)', { replacements: { names: directCopyOfUserInput } }); ``` and cause the SQL statement to become `SELECT Id FROM Table WHERE Name IN ('test', '\'); DELETE TestTable WHERE Id = 1 --')`. In Postgres, MSSQL, and SQLite, the backslash has no special meaning. This causes the the statement to delete whichever Id has a value of 1 in the TestTable table.

Threat Intelligence

EPSS Exploit Probability
67.9% percentile
Exploit & Patch Status
Public Exploit Known
No Patch Available

Weaknesses 1

CWE-89 SQL Injection Injection

Affected Products 1

VendorProductVersionRange
sequelizejssequelize* ≤3.19.3

References 2

  • github.com https://github.com/sequelize/sequelize/issues/5671
    ExploitIssue TrackingThird Party Advisory
  • nodesecurity.io https://nodesecurity.io/advisories/102
    Third Party Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.