Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-f598-mfpv-gmfx: Sequelize - Default support for “raw attributes” when using parentheses

Impact

Sequelize 6.28.2 and prior has a dangerous feature where using parentheses in the attribute option would make Sequelize use the string as-is in the SQL

User.findAll({
  attributes: [
    ['count(id)', 'count']
  ]
});

Produced

SELECT count(id) AS "count" FROM "users"

Patches

This feature was deprecated in Sequelize 5, and using it prints a deprecation warning.

This issue has been patched in @sequelize/[email protected] and [email protected].

In Sequelize 7, it now produces the following:

SELECT "count(id)" AS "count" FROM "users"

In Sequelize 6, it throws an error explaining that we had to introduce a breaking change, and requires the user to explicitly opt-in to either the Sequelize 7 behavior (always escape) or the Sequelize 5 behavior (inline attributes that include () without escaping). See https://github.com/sequelize/sequelize/pull/15710 for more information.

Mitigations

Do not use user-provided content to build your list or attributes. If you do, make sure that attribute in question actually exists on your model by checking that it exists in the rawAttributes property of your model first.

A discussion thread about this issue is open at https://github.com/sequelize/sequelize/discussions/15694 CVE: CVE-2023-22578

ghsa
Open in Source
#sql#git

Impact

Sequelize 6.28.2 and prior has a dangerous feature where using parentheses in the attribute option would make Sequelize use the string as-is in the SQL

User.findAll({ attributes: [ ['count(id)', ‘count’] ] });

Produced

SELECT count(id) AS “count” FROM “users”

Patches

This feature was deprecated in Sequelize 5, and using it prints a deprecation warning.

This issue has been patched in @sequelize/[email protected] and [email protected].

In Sequelize 7, it now produces the following:

SELECT "count(id)" AS “count” FROM “users”

In Sequelize 6, it throws an error explaining that we had to introduce a breaking change, and requires the user to explicitly opt-in to either the Sequelize 7 behavior (always escape) or the Sequelize 5 behavior (inline attributes that include () without escaping). See sequelize/sequelize#15710 for more information.

Mitigations

Do not use user-provided content to build your list or attributes. If you do, make sure that attribute in question actually exists on your model by checking that it exists in the rawAttributes property of your model first.

A discussion thread about this issue is open at sequelize/sequelize#15694
CVE: CVE-2023-22578

References

  • GHSA-f598-mfpv-gmfx
  • https://nvd.nist.gov/vuln/detail/CVE-2023-22578
  • sequelize/sequelize#15710
  • https://csirt.divd.nl/CVE-2023-22578
  • https://csirt.divd.nl/DIVD-2022-00020/
  • sequelize/sequelize#15694
  • https://github.com/sequelize/sequelize/releases/tag/v6.29.0
  • https://github.com/sequelize/sequelize/releases/tag/v7.0.0-alpha.20

Related news

CVE-2023-22578: Redirecting…

Due to improper artibute filtering in the sequalize js library, can a attacker peform SQL injections.

ghsa: Latest News

GHSA-gmx7-gr5q-85w5: magic-crypt uses insecure cryptographic algorithms
ghsa