CVE-2016-10553
Description
sequelize is an Object-relational mapping, or a middleman to convert things from Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server into usable data for NodeJS. A fix was pushed out that fixed potential SQL injection in sequelize 2.1.3 and earlier.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SQL injection vulnerability in Sequelize <=2.1.3 allows attackers to execute arbitrary SQL queries via unsanitized inputs.
Vulnerability
Sequelize versions 2.1.3 and earlier are vulnerable to SQL injection [1][2]. The library, an Object-Relational Mapping (ORM) for Node.js supporting multiple database backends (Postgres, MySQL, MariaDB, SQLite, Microsoft SQL Server), did not properly sanitize certain user-supplied inputs before constructing SQL queries. This allows an attacker to inject malicious SQL fragments through parameters that are concatenated into query strings rather than passed as bound parameters.
Exploitation
The attacker requires the ability to supply untrusted input that reaches a vulnerable query construction path in Sequelize. No authentication or special network position is described in the references. The exploitation involves crafting input strings containing SQL metacharacters or statements that, when passed through the vulnerable ORM methods, become part of the final SQL statement sent to the database [1].
Impact
Successful exploitation leads to arbitrary SQL execution against the database. This can result in data theft (confidentiality breach), data modification (integrity loss), or potentially denial of service. The attacker can read, modify, or delete records depending on database permissions, possibly achieving full compromise of the database content accessible to the application's database user [1][2].
Mitigation
A fix was released in Sequelize 2.1.4 [1][2]. All users should upgrade to version 2.1.4 or later. There are no known workarounds described in the references; applying the patch is the recommended mitigation.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
sequelizenpm | < 3.0.0 | 3.0.0 |
Affected products
2- HackerOne/sequelize node modulev5Range: <= 2.1.3
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-2v7q-2xqx-f4q5ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2016-10553ghsaADVISORY
- github.com/sequelize/sequelize/blob/master/changelog.mdghsax_refsource_MISCWEB
- nodesecurity.io/advisories/109mitrex_refsource_MISC
- www.npmjs.com/advisories/109ghsaWEB
News mentions
0No linked articles in our index yet.