CVE-2019-10752
CRITICALSequelize < 4.44.3 - SQL Injection via sequelize.json() Helper Function
Title source: llmDescription
Sequelize, all versions prior to version 4.44.3 and 5.15.1, is vulnerable to SQL Injection due to sequelize.json() helper function not escaping values properly when formatting sub paths for JSON queries for MySQL, MariaDB and SQLite.
References (4)
Core 4
Core References
Exploit, Third Party Advisory
https://snyk.io/vuln/SNYK-JS-SEQUELIZE-459751
Patch x_refsource_misc
https://github.com/sequelize/sequelize/commit/9bd0bc1%2C
Patch, Third Party Advisory x_refsource_misc
https://github.com/sequelize/sequelize/commit/9bd0bc111b6f502223edf7e902680f7cc2ed541e
Third Party Advisory x_refsource_confirm
https://snyk.io/vuln/SNYK-JS-SEQUELIZE-459751%2C
Scores
CVSS v3
9.8
EPSS
0.0146
EPSS Percentile
70.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-89
Status
published
Products (2)
npm/sequelize
0 - 4.44.3npm
sequelizejs/sequelize
4.0.0 - 4.44.3
Published
Oct 17, 2019
Tracked Since
Feb 18, 2026