CVE-2019-11069
Description
Sequelize version 5 before 5.3.0 does not properly ensure that standard conforming strings are used.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Sequelize before 5.3.0 does not enforce standard_conforming_strings for PostgreSQL, leading to potential SQL injection.
Root
Cause
CVE-2019-11069 affects Sequelize versions prior to 5.3.0. The vulnerability stems from the database library not ensuring that PostgreSQL connections use standard-conforming strings (i.e., standard_conforming_strings = on). When this setting is off, backslash escapes in strings are interpreted differently, which can alter the intended SQL syntax and potentially lead to SQL injection attacks [1][2].
Exploitation
An attacker who can inject a backslash character into a user input field processed by Sequelize may exploit this behavior. The library fails to check and enforce the standard_conforming_strings parameter during connection setup. The fix introduced in version 5.3.0 adds a handler that reads the parameter value from the server's connection response and, if it is off, sends a SET standard_conforming_strings = on query to enforce safe behavior [3][4].
Impact
Without this enforcement, a crafted input containing a backslash could break out of string literals, allowing the attacker to manipulate the underlying SQL query. This could lead to unauthorized data access, data modification, or other database compromise, depending on the context and database permissions [2].
Mitigation
Users are advised to upgrade to Sequelize 5.3.0 or later. The patch was included in the official release on 2019-04-10 [1]. No workaround is documented; applying the update is the recommended course of action.
- Release v5.3.0 · sequelize/sequelize
- NVD - CVE-2019-11069
- fix(postgres): check and enable standard conforming strings when required by sushantdhiman · Pull Request #10746 · sequelize/sequelize
- fix(postgres): check and enable standard conforming strings when required by sushantdhiman · Pull Request #10746 · sequelize/sequelize
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
sequelizenpm | >= 5.0.0, < 5.3.0 | 5.3.0 |
Affected products
2Patches
1850c7fd04669feat(postgres): enable standard conforming strings when required (#10746)
2 files changed · +33 −6
lib/dialects/abstract/connection-manager.js+4 −1 modified@@ -256,7 +256,10 @@ class ConnectionManager { //avoiding a useless round trip if (this.sequelize.options.databaseVersion === 0) { return this.sequelize.databaseVersion(_options).then(version => { - this.sequelize.options.databaseVersion = semver.valid(version) ? version : this.defaultVersion; + const parsedVersion = _.get(semver.coerce(version), 'version') || version; + this.sequelize.options.databaseVersion = semver.valid(parsedVersion) + ? parsedVersion + : this.defaultVersion; this.versionPromise = null; return this._disconnect(connection); });
lib/dialects/postgres/connection-manager.js+29 −5 modified@@ -122,6 +122,23 @@ class ConnectionManager extends AbstractConnectionManager { let responded = false; const connection = new this.lib.Client(connectionConfig); + + const parameterHandler = message => { + switch (message.parameterName) { + case 'server_version': + if (this.sequelize.options.databaseVersion === 0) { + const version = semver.coerce(message.parameterValue).version; + this.sequelize.options.databaseVersion = semver.valid(version) + ? version + : this.defaultVersion; + } + break; + case 'standard_conforming_strings': + connection['standard_conforming_strings'] = message.parameterValue; + break; + } + }; + const endHandler = () => { debug('connection timeout'); if (!responded) { @@ -133,8 +150,19 @@ class ConnectionManager extends AbstractConnectionManager { // node-postgres does not treat this as an error since no active query was ever emitted connection.once('end', endHandler); + if (!this.sequelize.config.native) { + // Receive various server parameters for further configuration + connection.connection.on('parameterStatus', parameterHandler); + } + connection.connect(err => { responded = true; + + if (!this.sequelize.config.native) { + // remove parameter handler + connection.connection.removeListener('parameterStatus', parameterHandler); + } + if (err) { if (err.code) { switch (err.code) { @@ -166,11 +194,7 @@ class ConnectionManager extends AbstractConnectionManager { }).tap(connection => { let query = ''; - if ( - this.sequelize.options.databaseVersion !== 0 - && semver.gte(this.sequelize.options.databaseVersion, '8.2.0') - && semver.lt(this.sequelize.options.databaseVersion, '9.1.0') - ) { + if (connection['standard_conforming_strings'] !== 'on') { // Disable escape characters in strings // see https://github.com/sequelize/sequelize/issues/3545 (security issue) // see https://www.postgresql.org/docs/current/static/runtime-config-compatible.html#GUC-STANDARD-CONFORMING-STRINGS
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/advisories/GHSA-2777-2vq8-c4v4ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-11069ghsaADVISORY
- github.com/sequelize/sequelize/blob/98cb17c17f73e2aa1792aa5a1d31216ba984b456/lib/dialects/postgres/connection-manager.jsghsaWEB
- github.com/sequelize/sequelize/commit/850c7fd04669e0fef9238b6dc4f8d6ee93ed71e9ghsaWEB
- github.com/sequelize/sequelize/pull/10746ghsaWEB
- github.com/sequelize/sequelize/pull/10746/filesghsaWEB
- github.com/sequelize/sequelize/releases/tag/v5.3.0ghsaWEB
- snyk.io/vuln/SNYK-JS-SEQUELIZE-174167ghsaWEB
News mentions
0No linked articles in our index yet.