CVE-2015-1369

LAB

Sequelize <2.0.0-rc7 - SQL Injection

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2015-1369. PoCs published by AikidoSec.

AI-analyzed exploit summary This repository contains a functional PoC for CVE-2015-1369, demonstrating SQL injection in Sequelize ORM via the 'order' parameter. It includes both vulnerable and protected test cases, with Docker setup for easy reproduction.

Description

SQL injection vulnerability in Sequelize before 2.0.0-rc7 for Node.js allows remote attackers to execute arbitrary SQL commands via the order parameter.

Exploits (1)

github WORKING POC 6 stars

by AikidoSec · javascriptpoc

https://github.com/AikidoSec/zen-0-days/tree/main/node/CVE-2015-1369

View Code ZIP pw:eip

This repository contains a functional PoC for CVE-2015-1369, demonstrating SQL injection in Sequelize ORM via the 'order' parameter. It includes both vulnerable and protected test cases, with Docker setup for easy reproduction.

Classification

Working Poc 95%

Attack Type

Sqli

Complexity

Moderate

Reliability

Reliable

Target: Sequelize ORM (Node.js MySQL library)

No auth needed

Prerequisites: MySQL database · Node.js environment · Sequelize ORM

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 27, 2026 Full analysis →

References (3)

Core 3

Core References

Exploit x_refsource_confirm

https://github.com/sequelize/sequelize/pull/2919

Exploit x_refsource_misc

https://nodesecurity.io/advisories/sequelize-sql-injection-order

Mailing List mailing-list x_refsource_mlist

http://www.openwall.com/lists/oss-security/2015/01/23/2

Scores

EPSS 0.0217

EPSS Percentile 79.9%

Lab Environment

COMMUNITY

Community Lab

docker pull mysql:8.0

https://github.com/AikidoSec/zen-0-days

View in Library

Details

CWE

CWE-89

Status published

Products (2)

npm/sequelize 0 - 2.0.0-rc8npm

sequelize_project/sequelize < 2.0.0

Published Jan 27, 2015

Tracked Since Feb 18, 2026