Impact
Sequelize 6.28.2 and prior has a dangerous feature where using parentheses in the attribute option would make Sequelize use the string as-is in the SQL
User.findAll({
attributes: [
['count(id)', 'count']
]
});
Produced
SELECT count(id) AS "count" FROM "users"
Patches
This feature was deprecated in Sequelize 5, and using it prints a deprecation warning.
This issue has been patched in @sequelize/[email protected]
and [email protected]
.
In Sequelize 7, it now produces the following:
SELECT "count(id)" AS "count" FROM "users"
In Sequelize 6, it throws an error explaining that we had to introduce a breaking change, and requires the user to explicitly opt-in to either the Sequelize 7 behavior (always escape) or the Sequelize 5 behavior (inline attributes that include ()
without escaping). See sequelize/sequelize#15710 for more information.
Mitigations
Do not use user-provided content to build your list or attributes. If you do, make sure that attribute in question actually exists on your model by checking that it exists in the rawAttributes
property of your model first.
A discussion thread about this issue is open at sequelize/sequelize#15694
CVE: CVE-2023-22578
References
Impact
Sequelize 6.28.2 and prior has a dangerous feature where using parentheses in the attribute option would make Sequelize use the string as-is in the SQL
Produced
Patches
This feature was deprecated in Sequelize 5, and using it prints a deprecation warning.
This issue has been patched in
@sequelize/[email protected]
and[email protected]
.In Sequelize 7, it now produces the following:
In Sequelize 6, it throws an error explaining that we had to introduce a breaking change, and requires the user to explicitly opt-in to either the Sequelize 7 behavior (always escape) or the Sequelize 5 behavior (inline attributes that include
()
without escaping). See sequelize/sequelize#15710 for more information.Mitigations
Do not use user-provided content to build your list or attributes. If you do, make sure that attribute in question actually exists on your model by checking that it exists in the
rawAttributes
property of your model first.A discussion thread about this issue is open at sequelize/sequelize#15694
CVE: CVE-2023-22578
References