CVE-2023-25813

CRITICAL LAB

Sequelize < 6.19.1 - SQL Injection via Replacements

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 6 public exploits for CVE-2023-25813. PoCs published by White-BAO, h-gunp, bde574786.

AI-analyzed exploit summary The repository contains minimal code related to a Sequelize-based user model but lacks any functional exploit code or technical details about CVE-2023-25813. The README is empty except for the CVE identifier.

Description

Sequelize is a Node.js ORM tool. In versions prior to 6.19.1 a SQL injection exploit exists related to replacements. Parameters which are passed through replacements are not properly escaped which can lead to arbitrary SQL injection depending on the specific queries in use. The issue has been fixed in Sequelize 6.19.1. Users are advised to upgrade. Users unable to upgrade should not use the `replacements` and the `where` option in the same query.

Exploits (6)

nomisec STUB 1 stars
by White-BAO · poc
https://github.com/White-BAO/CVE-2023-25813

The repository contains minimal code related to a Sequelize-based user model but lacks any functional exploit code or technical details about CVE-2023-25813. The README is empty except for the CVE identifier.

Classification
Stub 90%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: Unknown (Sequelize-based application)
No auth needed
Prerequisites: None specified
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by h-gunp · poc
https://github.com/h-gunp/CVE-2023-25813-TEST

This repository contains a functional proof-of-concept for CVE-2023-25813, demonstrating a Sequelize SQL injection vulnerability in the login route. The vulnerable code uses `literal` and `and` in a way that allows bypassing authentication.

Classification
Working Poc 100%
Attack Type
Sqli
Complexity
Trivial
Reliability
Reliable
Target: Sequelize 6.19.0
No auth needed
Prerequisites: Docker · MySQL 8.0
devstral-2 · analyzed May 22, 2026 Full analysis →
nomisec WORKING POC
by bde574786 · poc
https://github.com/bde574786/Sequelize-1day-CVE-2023-25813

This repository contains a functional proof-of-concept exploit for CVE-2023-25813, demonstrating SQL injection in Sequelize < 6.19.1 via improper handling of the `replacements` option. The PoC includes a Node.js application with vulnerable Sequelize queries and detailed technical analysis of the root cause.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: Sequelize < 6.19.1
No auth needed
Prerequisites: Node.js environment · Sequelize v6.19.0 or lower · MySQL database
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by numbbvi · poc
https://github.com/numbbvi/CVE-2023-25813

This repository contains a functional proof-of-concept for CVE-2023-25813, demonstrating a SQL injection vulnerability in Sequelize. The exploit is embedded in a Node.js application with Docker support, showcasing the vulnerability in a controlled environment.

Classification
Working Poc 90%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: Sequelize (ORM for Node.js)
No auth needed
Prerequisites: Node.js environment · MySQL database · Sequelize library
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by sea-middle · poc
https://github.com/sea-middle/cve-2023-25813

This repository contains a functional Node.js application demonstrating CVE-2023-25813, a SQL injection vulnerability in the login and post creation endpoints. The code uses raw SQL queries with user-controlled input, allowing for authentication bypass and arbitrary SQL execution.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Trivial
Reliability
Reliable
Target: Custom Node.js application using Sequelize ORM
No auth needed
Prerequisites: Network access to the vulnerable application · Ability to send HTTP requests to the login or post endpoints
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by pbj2647 · poc
https://github.com/pbj2647/CVE-2023-25813

This repository contains a functional Python script for exploiting CVE-2023-25813, a SQL injection vulnerability. The script automates blind SQLi attacks to extract database information, table structures, and data from a vulnerable target.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: Sequelize ORM (specific version not specified)
No auth needed
Prerequisites: Vulnerable Sequelize ORM instance · Accessible endpoint with injectable parameters
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (4)

Core 4

Scores

CVSS v3 10.0
EPSS 0.0352
EPSS Percentile 88.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact total

Lab Environment

COMMUNITY
Community Lab
docker pull mysql:8.0
+4 more repos

Details

CWE
CWE-89
Status published
Products (2)
npm/sequelize 0 - 6.19.1npm
sequelizejs/sequelize < 6.19.1
Published Feb 22, 2023
Tracked Since Feb 18, 2026