Sequalize - Default support for “raw attributes” when using parentheses
Description
Due to improper artibute filtering in the sequalize js library, can a attacker peform SQL injections.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2023-22578 is a SQL injection vulnerability in Sequelize due to improper string attribute escaping, allowing arbitrary SQL execution.
Vulnerability
Details CVE-2023-22578 is a SQL injection vulnerability in Sequelize, a popular Node.js ORM. The bug stems from improper attribute filtering in the library's query generation, specifically insufficient escaping of string attributes. This allows an attacker to inject malicious SQL fragments through user-controllable inputs [1]. The vulnerability was addressed by a fix that ensures string attributes are always escaped [1].
Exploitation
An attacker can exploit this vulnerability by providing crafted input that is used in Sequelize queries without proper sanitization. No authentication is required if the application exposes vulnerable endpoints to unauthenticated users. The attack vector is network-based, and the complexity is low [3].
Impact
Successful exploitation could allow an attacker to execute arbitrary SQL commands against the underlying database, leading to data theft, modification, or deletion, and potentially full compromise of the database server [3].
Mitigation
The vulnerability is patched in Sequelize v6.29.0 and v7.0.0-alpha.20 [1][2]. Users are advised to upgrade to these or later versions. For more details, refer to the official GitHub repository [4] and the NVD entry [3].
- Release v7.0.0-alpha.20 · sequelize/sequelize
- Release v6.29.0 · sequelize/sequelize
- NVD - CVE-2023-22578
- GitHub - sequelize/sequelize: Feature-rich ORM for modern Node.js and TypeScript, it supports PostgreSQL (with JSON and JSONB support), MySQL, MariaDB, SQLite, MS SQL Server, Snowflake, Oracle DB, DB2 and DB2 for IBM i.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@sequelize/corenpm | < 7.0.0-alpha.20 | 7.0.0-alpha.20 |
sequelizenpm | < 6.29.0 | 6.29.0 |
Affected products
1- Range: <v7.0.0-alpha.20
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
9- csirt.divd.nl/CVE-2023-22578ghsathird-party-advisoryWEB
- github.com/advisories/GHSA-f598-mfpv-gmfxghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-22578ghsaADVISORY
- csirt.divd.nl/DIVD-2022-00020ghsaWEB
- csirt.divd.nl/DIVD-2022-00020/mitrerelated
- github.com/sequelize/sequelize/pull/15710ghsaWEB
- github.com/sequelize/sequelize/releases/tag/v6.29.0ghsaWEB
- github.com/sequelize/sequelize/releases/tag/v7.0.0-alpha.20ghsaWEB
- github.com/sequelize/sequelize/security/advisories/GHSA-f598-mfpv-gmfxghsaWEB
News mentions
0No linked articles in our index yet.