Main Vulnerability Database Vulnerabilities #VU128014

Type Confusion in Sequelize - CVE-2023-22579

Published: February 21, 2023 / Updated: April 27, 2026

Vulnerability identifier: #VU128014

CSH Severity: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2023-22579

CWE-ID: CWE-843

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Sequelize

Software vendor:
npm Inc.

Description

The vulnerability allows a remote user to bypass query filtering.

The vulnerability exists due to access of resource using incompatible type in getWhereConditions when processing an invalid value in the where option of a query. A remote user can provide a specially crafted invalid where value to bypass query filtering.

This behavior occurs only at the top level of the where option.

Remediation

Install security update from vendor's website.

External links

https://github.com/sequelize/sequelize/security/advisories/GHSA-vqfx-gj96-3w95
https://github.com/advisories/GHSA-vqfx-gj96-3w95

Type Confusion in Sequelize - CVE-2023-22579

Description

Remediation

External links

Please verify you're human