Main Vulnerability Database Vulnerabilities #VU128013

SQL injection in Sequelize - CVE-2023-25813

Published: February 22, 2023 / Updated: April 27, 2026

Vulnerability identifier: #VU128013

CSH Severity: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2023-25813

CWE-ID: CWE-89

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Sequelize

Software vendor:
npm Inc.

Description

The vulnerability allows a remote attacker to execute arbitrary SQL commands.

The vulnerability exists due to improper neutralization of special elements used in an SQL command in the replacements processing in sequelize.query when handling queries that combine the where option with replacements. A remote attacker can supply crafted replacement values to execute arbitrary SQL commands.

Remediation

Install security update from vendor's website.

External links

https://github.com/sequelize/sequelize/security/advisories/GHSA-wrh9-cjv3-2hpw
https://github.com/advisories/GHSA-wrh9-cjv3-2hpw

SQL injection in Sequelize - CVE-2023-25813

Description

Remediation

External links

Please verify you're human