CVE-2016-10550
Description
sequelize is an Object-relational mapping, or a middleman to convert things from Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server into usable data for NodeJS If user input goes into the limit or order parameters, a malicious user can put in their own SQL statements. This affects sequelize 3.16.0 and earlier.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SQL injection in Sequelize ORM via unescaped user input in limit/order parameters, affecting versions 3.16.0 and earlier.
Vulnerability
Sequelize, an ORM for Node.js, versions 3.16.0 and earlier, fails to properly escape user-provided values passed into the limit or order query parameters. If user input is directly supplied to these parameters without sanitization, an attacker can inject arbitrary SQL statements [1][2]. The vulnerability resides in the query generation logic where these arguments are concatenated into the final SQL without proper escaping [2].
Exploitation
An attacker needs to be able to influence the limit or order parameters of a Sequelize query, typically through unsanitized form fields, API inputs, or URL parameters. No special network position or authentication is required beyond the ability to interact with the application's database query interface. The attacker simply supplies crafted SQL strings within the limit or order values, which are then executed against the database [1].
Impact
Successful exploitation allows the attacker to perform SQL injection, potentially leading to unauthorized reading or modification of data, privilege escalation, or even remote code execution depending on the database configuration. The injected SQL runs with the database user's privileges owned by the application [1][3].
Mitigation
This vulnerability is fixed in Sequelize version 3.17.0 and later [3]. Users should upgrade to at least version 3.17.0. As a workaround, applications must ensure that user input is never passed directly to limit or order parameters and that these values are strictly validated and sanitized before use [1][2].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
sequelizenpm | < 3.17.0 | 3.17.0 |
Affected products
2- HackerOne/sequelize node modulev5Range: <= 3.16.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-98pq-pmw9-4gpmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2016-10550ghsaADVISORY
- github.com/sequelize/sequelize/pull/5167/commits/f282d85e60e3df5e57ecdb82adccb4eaef404f03ghsax_refsource_MISCWEB
- nodesecurity.io/advisories/112mitrex_refsource_MISC
- www.npmjs.com/advisories/112ghsaWEB
News mentions
0No linked articles in our index yet.