VYPR
High severityNVD Advisory· Published Mar 10, 2026· Updated Mar 11, 2026

Sequelize v6 Vulnerable to SQL Injection via JSON Column Cast Type

CVE-2026-30951

Description

Sequelize is a Node.js ORM tool. Prior to 6.37.8, there is SQL injection via unescaped cast type in JSON/JSONB where clause processing. The _traverseJSON() function splits JSON path keys on :: to extract a cast type, which is interpolated raw into CAST(... AS ) SQL. An attacker who controls JSON object keys can inject arbitrary SQL and exfiltrate data from any table. This vulnerability is fixed in 6.37.8.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
sequelizenpm
>= 6.0.0-beta.1, < 6.37.86.37.8

Affected products

4

Patches

Vulnerability mechanics

References

3

News mentions

0

No linked articles in our index yet.