Skip to content

Unsafe fall-through in getWhereConditions

Critical severity GitHub Reviewed Published Feb 21, 2023 in sequelize/sequelize • Updated Feb 23, 2023

Package

npm @sequelize/core (npm)

Affected versions

< 7.0.0-alpha.20

Patched versions

7.0.0-alpha.20
npm sequelize (npm)
< 6.28.1
6.28.1

Description

Impact

Providing an invalid value to the where option of a query caused Sequelize to ignore that option instead of throwing an error.

A finder call like the following did not throw an error:

User.findAll({
  where: new Date(),
});

As this option is typically used with plain javascript objects, be aware that this only happens at the top level of this option.

Patches

This issue has been patched in [email protected] & @sequelize/[email protected]

References

A discussion thread about this issue is open at sequelize/sequelize#15698

CVE: CVE-2023-22579
Snyk: https://security.snyk.io/vuln/SNYK-JS-SEQUELIZE-3324090

References

@ephys ephys published to sequelize/sequelize Feb 21, 2023
Published to the GitHub Advisory Database Feb 23, 2023
Reviewed Feb 23, 2023
Last updated Feb 23, 2023

Severity

Critical
10.0
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Weaknesses

CVE ID

CVE-2023-22579

GHSA ID

GHSA-vqfx-gj96-3w95

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.