Sequalize - Bad query filtering leading to SQL errors
Description
Due to improper input filtering in the sequalize js library, can malicious queries lead to sensitive information disclosure.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Improper input filtering in Sequelize allows attackers to send malicious queries that may disclose sensitive database information.
Vulnerability
Overview The vulnerability CVE-2023-22580 is caused by improper input filtering in the Sequelize ORM library. Specifically, the library fails to properly sanitize inputs when handling escaped strings and WHERE clauses, leading to potential SQL injection-like behavior. This issue was identified and patched in subsequent releases [1][2].
Exploitation
An attacker can exploit this flaw by providing crafted input to application endpoints that use Sequelize for database queries. If the application does not properly validate user input before passing it to Sequelize functions, the attacker may be able to inject malicious SQL fragments. The exploitation does not necessarily require authentication, depending on the application's design [2][3].
Impact
Successful exploitation could allow an attacker to extract sensitive information from the database, such as user credentials, personal data, or other confidential records. The Dutch Institute for Vulnerability Disclosure (DIVD) has also published an advisory highlighting the potential for data disclosure [3].
Mitigation
The issue is resolved in Sequelize versions 6.28.1 (stable) and 7.0.0-alpha.20 (alpha). Users are strongly advised to upgrade to these patched versions or later. The fix addresses the improper input filtering and ensures that parameters are correctly escaped and validated [1][2][3].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
sequelizenpm | < 6.28.1 | 6.28.1 |
@sequelize/corenpm | < 7.0.0-alpha.20 | 7.0.0-alpha.20 |
Affected products
1- Range: <v7.0.0-alpha.20
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
9- csirt.divd.nl/CVE-2023-22580ghsathird-party-advisoryWEB
- github.com/advisories/GHSA-8c25-f3mj-v6h8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-22580ghsaADVISORY
- csirt.divd.nl/DIVD-2022-00020ghsaWEB
- csirt.divd.nl/DIVD-2022-00020/mitrerelated
- github.com/sequelize/sequelize/pull/15375ghsaWEB
- github.com/sequelize/sequelize/pull/15699ghsaWEB
- github.com/sequelize/sequelize/releases/tag/v6.28.1ghsaWEB
- github.com/sequelize/sequelize/releases/tag/v7.0.0-alpha.20ghsaWEB
News mentions
0No linked articles in our index yet.