SQL injection in Sequelize - CVE-2023-25813

 

SQL injection in Sequelize - CVE-2023-25813

Published: February 22, 2023 / Updated: April 27, 2026


Vulnerability identifier: #VU128013
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2023-25813
CWE-ID: CWE-89
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: npm Inc.
Affected software:
Sequelize

Detailed vulnerability description

The vulnerability allows a remote attacker to execute arbitrary SQL commands.

The vulnerability exists due to improper neutralization of special elements used in an SQL command in the replacements processing in sequelize.query when handling queries that combine the where option with replacements. A remote attacker can supply crafted replacement values to execute arbitrary SQL commands.


How to mitigate CVE-2023-25813

Install security update from vendor's website.

Sources