Critical severityGHSA Advisory· Published Sep 1, 2020· Updated Sep 23, 2021
SQL Injection via GeoJSON in sequelize
CVE-2016-1000225
Description
Affected versions of sequelize are vulnerable to SQL Injection in Models that have fields with the GEOMETRY DataType. This vulnerability occurs because single quotes in document values are not escaped for GeoJSON documents using ST_GeomFromGeoJSON, and MySQL GeoJSON documents using GeomFromText.
Recommendation
Update to version 3.23.6 or later.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
sequelizenpm | >= 3.4.0, < 3.23.6 | 3.23.6 |
Affected products
2Patches
Vulnerability mechanics
References
10- github.com/advisories/GHSA-5v9h-q3gj-c32xghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2016-1000225ghsaADVISORY
- github.com/sequelize/sequelize/commit/14e3deaf3ad27f12900e5275db1d448844c9de3eghsaWEB
- github.com/sequelize/sequelize/commit/18ac91040d9c57351d26ba998f460e214255b704ghsaWEB
- github.com/sequelize/sequelize/commit/562d52585902090f4e53eb21c61314098c29d795ghsaWEB
- github.com/sequelize/sequelize/commit/f93af43a1d86400487f5e3d9762f1a4b7cf6b1e1ghsaWEB
- github.com/sequelize/sequelize/issues/6194ghsaWEB
- github.com/sequelize/sequelize/pull/6302ghsaWEB
- github.com/sequelize/sequelize/pull/6306ghsaWEB
- snyk.io/vuln/npm:sequelize:20160718ghsaWEB
News mentions
0No linked articles in our index yet.