Sequelize v6 Vulnerable to SQL Injection via JSON Column Cast Type
Description
Sequelize is a Node.js ORM tool. Prior to 6.37.8, there is SQL injection via unescaped cast type in JSON/JSONB where clause processing. The _traverseJSON() function splits JSON path keys on :: to extract a cast type, which is interpolated raw into CAST(... AS ) SQL. An attacker who controls JSON object keys can inject arbitrary SQL and exfiltrate data from any table. This vulnerability is fixed in 6.37.8.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Sequelize prior to 6.37.8 has SQL injection via unescaped cast type in JSON/JSONB where clause processing, allowing data exfiltration.
Vulnerability
Overview
CVE-2026-30951 is a SQL injection vulnerability in Sequelize, a Node.js ORM, affecting versions prior to 6.37.8. The flaw resides in the _traverseJSON() function within src/dialects/abstract/query-generator.js. When processing JSON/JSONB column queries, the function splits JSON path keys on :: to extract a cast type, which is then interpolated directly into a CAST(... AS ) SQL statement without any sanitization or validation [1][2].
Exploitation
An attacker who can control JSON object keys—for example, by providing user-supplied data that is stored in a JSON column and later used in a WHERE clause—can inject arbitrary SQL. The cast type portion of the key is not escaped, allowing the attacker to break out of the CAST expression and append malicious SQL. No special authentication is required beyond the ability to influence the JSON keys that are queried [2].
Impact
Successful exploitation enables an attacker to execute arbitrary SQL commands, potentially exfiltrating data from any table in the database. The vulnerability is rated with a CVSS score yet to be provided by NVD, but the advisory classifies it as high severity due to the ease of exploitation and the potential for data leakage [1][2].
Mitigation
The vulnerability is fixed in Sequelize version 6.37.8. Users should upgrade immediately. The v7 line (@sequelize/core) is not affected. No workarounds are documented; the recommended fix is to whitelist allowed SQL data types for cast operations [2].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
sequelizenpm | >= 6.0.0-beta.1, < 6.37.8 | 6.37.8 |
Affected products
2- Range: <6.37.8
- sequelize/sequelizev5Range: >= 6.0.0-beta.1, < 6.37.8
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-6457-6jrx-69crghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-30951ghsaADVISORY
- github.com/sequelize/sequelize/security/advisories/GHSA-6457-6jrx-69crghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.