CVE-2016-10554
Description
sequelize is an Object-relational mapping, or a middleman to convert things from Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server into usable data for NodeJS. Before version 1.7.0-alpha3, sequelize defaulted SQLite to use MySQL backslash escaping, even though SQLite uses Postgres escaping.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Sequelize before 1.7.0-alpha3 used wrong SQL escaping for SQLite, enabling SQL injection via crafted input.
Vulnerability
Sequelize, an Object-Relational Mapping (ORM) for Node.js, incorrectly defaulted SQLite to use MySQL backslash escaping instead of the proper PostgreSQL-style escaping before version 1.7.0-alpha3 [1]. This affects all sequelize versions <= 1.7.0-alpha2 when using SQLite as the database dialect [2]. The bug resides in the SqlString.escape function, which only applied PostgreSQL escaping for the postgres dialect, leaving SQLite to use the less restrictive MySQL escape logic [3].
Exploitation
An attacker can exploit this by providing crafted input that is used in SQL queries through sequelize. Since SQLite uses single-quote escaping (doubling single quotes) in PostgreSQL style, but sequelize applied MySQL backslash escaping, an attacker could inject a single quote (') that would not be properly escaped, allowing manipulation of the SQL query structure. No special network position is required if the application accepts user input and passes it through sequelize to a SQLite database [1][3].
Impact
Successful exploitation allows SQL injection, potentially leading to unauthorized reading, modification, or deletion of database contents. While SQLite is often used for testing or lightweight deployments, a full data compromise or denial of service is possible depending on the application's use of the affected sequelize version [1][2][3].
Mitigation
Upgrade to sequelize version 1.7.0-alpha3 or later, which fixes the issue by adding the sqlite dialect check in the escape function [3]. The fix was committed on an unspecified date and is included in the 1.7.0-alpha3 release. There is no known workaround; updating the library is the recommended mitigation [1][2].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
sequelizenpm | < 1.7.0 | 1.7.0 |
Affected products
2- HackerOne/sequelize node modulev5Range: <= 1.7.0-alpha2
Patches
1c876192aa6ceFix string escaping for sqlite
1 file changed · +2 −1
lib/sql-string.js+2 −1 modified@@ -37,8 +37,9 @@ SqlString.escape = function(val, stringifyObjects, timeZone, dialect) { } } - if (dialect == "postgres") { + if (dialect === "postgres" || dialect === "sqlite") { // http://www.postgresql.org/docs/8.2/static/sql-syntax-lexical.html#SQL-SYNTAX-STRINGS + // http://stackoverflow.com/q/603572/130598 val = val.replace(/'/g, "''"); } else { val = val.replace(/[\0\n\r\b\t\\\'\"\x1a]/g, function(s) {
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-x2jc-pwfj-h9p3ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2016-10554ghsaADVISORY
- github.com/sequelize/sequelize/commit/c876192aa6ce1f67e22b26a4d175b8478615f42dghsax_refsource_MISCWEB
- nodesecurity.io/advisories/113mitrex_refsource_MISC
- www.npmjs.com/advisories/113ghsaWEB
News mentions
0No linked articles in our index yet.