Critical severityNVD Advisory· Published Sep 1, 2020· Updated Sep 23, 2021
SQL Injection via GeoJSON in sequelize
CVE-2016-1000225
Description
Affected versions of sequelize are vulnerable to SQL Injection in Models that have fields with the GEOMETRY DataType. This vulnerability occurs because single quotes in document values are not escaped for GeoJSON documents using ST_GeomFromGeoJSON, and MySQL GeoJSON documents using GeomFromText.
Recommendation
Update to version 3.23.6 or later.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
sequelizenpm | >= 3.4.0, < 3.23.6 | 3.23.6 |
Patches
414e3deaf3ad218ac91040d9c562d52585902f93af43a1d86Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
10- github.com/advisories/GHSA-5v9h-q3gj-c32xghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2016-1000225ghsaADVISORY
- github.com/sequelize/sequelize/commit/14e3deaf3ad27f12900e5275db1d448844c9de3eghsaWEB
- github.com/sequelize/sequelize/commit/18ac91040d9c57351d26ba998f460e214255b704ghsaWEB
- github.com/sequelize/sequelize/commit/562d52585902090f4e53eb21c61314098c29d795ghsaWEB
- github.com/sequelize/sequelize/commit/f93af43a1d86400487f5e3d9762f1a4b7cf6b1e1ghsaWEB
- github.com/sequelize/sequelize/issues/6194ghsaWEB
- github.com/sequelize/sequelize/pull/6302ghsaWEB
- github.com/sequelize/sequelize/pull/6306ghsaWEB
- snyk.io/vuln/npm:sequelize:20160718ghsaWEB
News mentions
0No linked articles in our index yet.