Critical severityNVD Advisory· Published Oct 25, 2022· Updated Mar 11, 2025
Feathers - SQL injection via attribute aliases
CVE-2022-2422
Description
Due to improper input validation in the Feathers js library, it is possible to perform a SQL injection attack on the back-end database, in case the feathers-sequelize package is used.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
feathers-sequelizenpm | >= 6.0.0, < 6.3.4 | 6.3.4 |
Affected products
1- Range: 6.x
Patches
10f2d85f0b2d5Do not allow raw attribute selects (#393)
2 files changed · +7 −1
lib/index.js+1 −1 modified@@ -133,7 +133,7 @@ class Service extends AdapterService { }, params.sequelize); if (filters.$select) { - q.attributes = filters.$select; + q.attributes = filters.$select.map(select => `${select}`); } const Model = this.applyScope(params);
test/index.test.js+6 −0 modified@@ -293,6 +293,12 @@ describe('Feathers Sequelize Service', () => { await people.remove(person.id); }); + it('does not allow raw attribute $select ', async () => { + await assert.rejects(() => people.find({ + query: { $select: [['(sqlite_version())', 'x']] } + })); + }); + it('hides the Sequelize error in ERROR symbol', async () => { try { await people.create({
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- csirt.divd.nl/CVE-2022-2422ghsathird-party-advisoryWEB
- csirt.divd.nl/DIVD-2022-00020ghsathird-party-advisoryWEB
- github.com/advisories/GHSA-qpv8-4pjq-qqh7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-2422ghsaADVISORY
- csirt.divd.nl/cases/DIVD-2022-00020ghsaWEB
- csirt.divd.nl/cves/CVE-2022-2422ghsaWEB
- github.com/feathersjs-ecosystem/feathers-sequelize/commit/0f2d85f0b2d556f2b6c70423dcebdbd29d95e3dcghsaWEB
News mentions
0No linked articles in our index yet.