Critical severityNVD Advisory· Published Oct 25, 2022· Updated Mar 11, 2025
Feathers - Query “__proto__” is converted to real prototype
CVE-2022-29823
Description
Feather-Sequalize cleanQuery method uses insecure recursive logic to filter unsupported keys from the query object. This results in a Remote Code Execution (RCE) with privileges of application.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
feathers-sequelizenpm | >= 6.0.0, < 6.3.3 | 6.3.3 |
Affected products
1- Range: 6.x
Patches
10b7beaa773dcPrevent query prototype polution (#389)
5 files changed · +16 −4
lib/index.js+1 −1 modified@@ -102,7 +102,7 @@ class Service extends AdapterService { return converted; }; - filtered.query = convertOperators(filtered.query); + filtered.query = Object.assign({}, convertOperators(filtered.query)); return filtered; }
lib/utils.js+2 −2 modified@@ -36,8 +36,8 @@ exports.errorHandler = error => { exports.getOrder = (sort = {}) => Object.keys(sort).reduce((order, name) => { let direction; if (Array.isArray(sort[name])) { - direction = parseInt(sort[name][0], 10) === 1 ? 'ASC' : 'DESC'; - direction += parseInt(sort[name][1], 10) === 1 ? ' NULLS FIRST': ' NULLS LAST'; + direction = parseInt(sort[name][0], 10) === 1 ? 'ASC' : 'DESC'; + direction += parseInt(sort[name][1], 10) === 1 ? ' NULLS FIRST' : ' NULLS LAST'; } else { direction = parseInt(sort[name], 10) === 1 ? 'ASC' : 'DESC'; }
package-lock.json+1 −0 modified@@ -5,6 +5,7 @@ "requires": true, "packages": { "": { + "name": "feathers-sequelize", "version": "6.3.2", "license": "MIT", "dependencies": {
README.md+1 −1 modified@@ -1,7 +1,6 @@ # feathers-sequelize [](https://github.com/feathersjs-ecosystem/feathers-sequelize/actions?query=workflow%3ACI) -[](https://david-dm.org/feathersjs-ecosystem/feathers-sequelize) [](https://www.npmjs.com/package/feathers-sequelize) A [Feathers](https://feathersjs.com) database adapter for [Sequelize](http://sequelizejs.com), an ORM for Node.js. It supports PostgreSQL, MySQL, MariaDB, SQLite and MSSQL and features transaction support, relations, read replication and more. @@ -21,6 +20,7 @@ A [Feathers](https://feathersjs.com) database adapter for [Sequelize](http://seq - [Embrace the ORM](#embrace-the-orm) - [Setting `params.sequelize.include`](#setting-paramssequelizeinclude) - [Querying](#querying) + - [Querying a nested column](#querying-a-nested-column) - [Working with Sequelize Model instances](#working-with-sequelize-model-instances) - [Validation](#validation) - [Testing sequelize queries in isolation](#testing-sequelize-queries-in-isolation)
test/index.test.js+11 −0 modified@@ -252,6 +252,17 @@ describe('Feathers Sequelize Service', () => { await people.remove(person.id); }); + it('cleans up the query prototype', async () => { + const page = await people.find({ + query: { + name: 'Dave', + __proto__: [] + } + }); + + assert.strictEqual(page.data.length, 0); + }); + it('still allows querying with Sequelize operators', async () => { const name = 'Age test'; const person = await people.create({ name, age: 10 });
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- csirt.divd.nl/CVE-2022-29823/mitrethird-party-advisory
- csirt.divd.nl/DIVD-2022-00020ghsathird-party-advisoryWEB
- github.com/advisories/GHSA-p5m3-27vh-52j4ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-29823ghsaADVISORY
- csirt.divd.nl/CVE-2022-29823ghsaWEB
- csirt.divd.nl/cases/DIVD-2022-00020ghsaWEB
- csirt.divd.nl/cves/CVE-2022-29823ghsaWEB
- github.com/feathersjs-ecosystem/feathers-sequelize/commit/0b7beaa773dc313fdb27edd9ee8115064d7cf114ghsaWEB
News mentions
0No linked articles in our index yet.