Sequalize - Unsafe fall-through in getWhereConditions

CVE-2023-22579 describes an injection vulnerability in the Sequelize ORM for Node.js, caused by improper parameter filtering. The root issue lies in how Sequelize handles string replacements in queries, particularly when parameters follow double dollar sign ($$) sequences. This flaw allowed unsanitized input to bypass proper escaping, leading to potential injection attacks [1][2].

The vulnerability can be exploited when user-supplied data is passed to Sequelize query methods without adequate validation. An attacker may craft specific input that interferes with parameter substitution, enabling them to inject malicious SQL or other database commands. The attack requires the ability to influence query parameters, often through application endpoints that accept user input [3].

Successful exploitation could allow an attacker to execute arbitrary SQL statements, leading to data exfiltration, modification, or unauthorized access to the database. The impact depends on the database privileges assigned to the application's connection [3].

Sequelize patched this vulnerability in releases v6.28.1 and v7.0.0-alpha.20. Users should upgrade to these or later versions. No workaround has been officially documented, making patching the recommended course of action [1][2].