CVE-2019-10752

CRITICAL

Sequelize < 4.44.3 - SQL Injection via sequelize.json() Helper Function

Title source: llm
STIX 2.1

Description

Sequelize, all versions prior to version 4.44.3 and 5.15.1, is vulnerable to SQL Injection due to sequelize.json() helper function not escaping values properly when formatting sub paths for JSON queries for MySQL, MariaDB and SQLite.

References (4)

Core 4

Scores

CVSS v3 9.8
EPSS 0.0146
EPSS Percentile 70.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-89
Status published
Products (2)
npm/sequelize 0 - 4.44.3npm
sequelizejs/sequelize 4.0.0 - 4.44.3
Published Oct 17, 2019
Tracked Since Feb 18, 2026