Critical severityOSV Advisory· Published Oct 29, 2019· Updated Aug 4, 2024

CVE-2019-10749

Description

sequelize before version 3.35.1 allows attackers to perform a SQL Injection due to the JSON path keys not being properly sanitized in the Postgres dialect.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

SQL injection in sequelize <3.35.1 via unsanitized JSON path keys in Postgres dialect allows attackers to execute arbitrary SQL.

Vulnerability

CVE-2019-10749 is a SQL injection vulnerability in the Sequelize ORM library for Node.js, affecting versions before 3.35.1. The flaw exists in the Postgres dialect's handling of JSON path keys. When constructing queries that involve JSON operations, the library failed to properly sanitize the path keys, allowing an attacker to inject malicious SQL fragments.

Exploitation

An attacker can exploit this vulnerability by providing specially crafted JSON path keys as input to Sequelize queries. No authentication is required if the application exposes query endpoints that accept user-controlled data for JSON keys. The injection occurs in the generated SQL string, potentially affecting any query that uses JSON path operations in Postgres.

Impact

Successful exploitation allows an attacker to execute arbitrary SQL commands on the database. This could lead to data leakage, modification, or deletion, depending on the database permissions. The vulnerability is remotely exploitable without authentication in many scenarios.

Mitigation

The vulnerability is fixed in Sequelize version 3.35.1 and later. Users should upgrade immediately. The fix is implemented in commit ee40173 [1][2], which properly escapes the path keys using the escape method. No workarounds are available; upgrading is the recommended action.

References

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
sequelizenpm	< 3.35.1	3.35.1

Affected products

Sequelize/SequelizeOSV
Range: 0.1.0, 0.2.0, 0.2.1, …
ghsa-coords
pkg:npm/sequelize
Range: < 3.35.1

Patches

ee4017379db0

fix(postgres): json path key quoting (#11088)

https://github.com/sequelize/sequelizeSushantJun 20, 2019via ghsa

commit

1 file changed · +2 −1

lib/dialects/abstract/query-generator.js+2 −1 modified

@@ -2198,7 +2198,8 @@ var QueryGenerator = {
             path[path.length - 1] = $tmp[0];
           }
 
-          $baseKey = self.quoteIdentifier(key)+'#>>\'{'+path.join(', ')+'}\'';
+          var pathKey = self.escape('{' + path.join(', ') + '}');
+          $baseKey = self.quoteIdentifier(key)+'#>>'+pathKey;
 
           if (options.prefix) {
             if (options.prefix instanceof Utils.literal) {

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-2598-2f59-rmhqghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2019-10749ghsaADVISORY
github.com/sequelize/sequelize/commit/ee4017379db0059566ecb5424274ad4e2d66bc68ghsax_refsource_MISCWEB
snyk.io/vuln/SNYK-JS-SEQUELIZE-450222ghsax_refsource_MISCWEB
www.npmjs.com/advisories/1017ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.585
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000