ghsa-wrh9-cjv3-2hpw
Vulnerability from github
Published
2023-02-22 22:59
Modified
2023-02-22 22:59
Severity ?
10.0 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Summary
Sequelize vulnerable to SQL Injection via replacements
Details

Impact

The SQL injection exploit is related to replacements. Here is such an example:

In the following query, some parameters are passed through replacements, and some are passed directly through the where option.

typescript User.findAll({ where: or( literal('soundex("firstName") = soundex(:firstName)'), { lastName: lastName }, ), replacements: { firstName }, })

This is a very legitimate use case, but this query was vulnerable to SQL injection due to how Sequelize processed the query: Sequelize built a first query using the where option, then passed it over to sequelize.query which parsed the resulting SQL to inject all :replacements.

If the user passed values such as

json { "firstName": "OR true; DROP TABLE users;", "lastName": ":firstName" }

Sequelize would first generate this query:

sql SELECT * FROM users WHERE soundex("firstName") = soundex(:firstName) OR "lastName" = ':firstName'

Then would inject replacements in it, which resulted in this:

sql SELECT * FROM users WHERE soundex("firstName") = soundex('OR true; DROP TABLE users;') OR "lastName" = ''OR true; DROP TABLE users;''

As you can see this resulted in arbitrary user-provided SQL being executed.

Patches

The issue was fixed in Sequelize 6.19.1

Workarounds

Do not use the replacements and the where option in the same query if you are not using Sequelize >= 6.19.1

References

See this thread for more information: https://github.com/sequelize/sequelize/issues/14519

Snyk: https://security.snyk.io/vuln/SNYK-JS-SEQUELIZE-2932027

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "sequelize"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.19.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-25813"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-89"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-02-22T22:59:09Z",
    "nvd_published_at": "2023-02-22T19:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "### Impact\n\nThe SQL injection exploit is related to replacements. Here is such an example: \n\nIn the following query, some parameters are passed through replacements, and some are passed directly through the `where` option.\n\n```typescript\nUser.findAll({\n  where: or(\n    literal(\u0027soundex(\"firstName\") = soundex(:firstName)\u0027),\n    { lastName: lastName },\n  ),\n  replacements: { firstName },\n})\n```\n\nThis is a very legitimate use case, but this query was vulnerable to SQL injection due to how Sequelize processed the query: Sequelize built a first query using the `where` option, then passed it over to `sequelize.query` which parsed the resulting SQL to inject all `:replacements`.\n\nIf the user passed values such as\n\n```json\n{\n  \"firstName\": \"OR true; DROP TABLE users;\",\n  \"lastName\": \":firstName\"\n}\n```\n\nSequelize would first generate this query:\n\n```sql\nSELECT * FROM users WHERE soundex(\"firstName\") = soundex(:firstName) OR \"lastName\" = \u0027:firstName\u0027\n```\n\nThen would inject replacements in it, which resulted in this:\n\n```sql\nSELECT * FROM users WHERE soundex(\"firstName\") = soundex(\u0027OR true; DROP TABLE users;\u0027) OR \"lastName\" = \u0027\u0027OR true; DROP TABLE users;\u0027\u0027\n```\n\nAs you can see this resulted in arbitrary user-provided SQL being executed.\n\n### Patches\n\nThe issue was fixed in Sequelize 6.19.1\n\n### Workarounds\n\nDo not use the `replacements` and the `where` option in the same query if you are not using Sequelize \u003e= 6.19.1 \n\n### References\n\nSee this thread for more information: https://github.com/sequelize/sequelize/issues/14519\n\nSnyk: https://security.snyk.io/vuln/SNYK-JS-SEQUELIZE-2932027",
  "id": "GHSA-wrh9-cjv3-2hpw",
  "modified": "2023-02-22T22:59:09Z",
  "published": "2023-02-22T22:59:09Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/sequelize/sequelize/security/advisories/GHSA-wrh9-cjv3-2hpw"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25813"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sequelize/sequelize/issues/14519"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sequelize/sequelize/commit/ccaa3996047fe00048d5993ab2dd43ebadd4f78b"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/sequelize/sequelize"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sequelize/sequelize/releases/tag/v6.19.1"
    },
    {
      "type": "WEB",
      "url": "https://security.snyk.io/vuln/SNYK-JS-SEQUELIZE-2932027"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Sequelize vulnerable to SQL Injection via replacements"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.