GHSA-vqfx-gj96-3w95: Unsafe fall-through in getWhereConditions

Package

npm @sequelize/core (npm)

Affected versions

< 7.0.0-alpha.20

Patched versions

7.0.0-alpha.20

npm sequelize (npm)

< 6.28.1

6.28.1

Description

Impact

Providing an invalid value to the where option of a query caused Sequelize to ignore that option instead of throwing an error.

A finder call like the following did not throw an error:

User.findAll({ where: new Date(), });

As this option is typically used with plain javascript objects, be aware that this only happens at the top level of this option.

Patches

This issue has been patched in [email protected] & @sequelize/[email protected]

References

A discussion thread about this issue is open at sequelize/sequelize#15698

CVE: CVE-2023-22579
Snyk: https://security.snyk.io/vuln/SNYK-JS-SEQUELIZE-3324090

References

• GHSA-vqfx-gj96-3w95
• https://nvd.nist.gov/vuln/detail/CVE-2023-22579
• sequelize/sequelize#15375
• sequelize/sequelize#15699
• https://csirt.divd.nl/CVE-2023-22579
• https://csirt.divd.nl/DIVD-2022-00020/
• sequelize/sequelize#15698
• https://github.com/sequelize/sequelize/releases/tag/v6.28.1
• https://github.com/sequelize/sequelize/releases/tag/v7.0.0-alpha.20

ephys published to sequelize/sequelize

Feb 21, 2023

Published to the GitHub Advisory Database

Feb 23, 2023

Reviewed

Feb 23, 2023

Last updated

Feb 23, 2023