Main Vulnerability Database SB20230221100

SB20230221100 - Type Confusion in Sequelize

Published: February 21, 2023 Updated: April 27, 2026

Security Bulletin ID SB20230221100

CSH Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) Type Confusion (CVE-ID: CVE-2023-22579)

The vulnerability allows a remote user to bypass query filtering.

The vulnerability exists due to access of resource using incompatible type in getWhereConditions when processing an invalid value in the where option of a query. A remote user can provide a specially crafted invalid where value to bypass query filtering.

This behavior occurs only at the top level of the where option.

Remediation

Install update from vendor's website.

References

https://github.com/sequelize/sequelize/security/advisories/GHSA-vqfx-gj96-3w95
https://github.com/advisories/GHSA-vqfx-gj96-3w95