High severityNVD Advisory· Published Mar 10, 2026· Updated Mar 11, 2026
Sequelize v6 Vulnerable to SQL Injection via JSON Column Cast Type
CVE-2026-30951
Description
Sequelize is a Node.js ORM tool. Prior to 6.37.8, there is SQL injection via unescaped cast type in JSON/JSONB where clause processing. The _traverseJSON() function splits JSON path keys on :: to extract a cast type, which is interpolated raw into CAST(... AS ) SQL. An attacker who controls JSON object keys can inject arbitrary SQL and exfiltrate data from any table. This vulnerability is fixed in 6.37.8.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
sequelizenpm | >= 6.0.0-beta.1, < 6.37.8 | 6.37.8 |
Affected products
4- osv-coords3 versions
< 7.5.7-r14+ 2 more
- (no CPE)range: < 7.5.7-r14
- (no CPE)range: < 7.5.7-r14
- (no CPE)range: >= 6.0.0-beta.1, < 6.37.8
Patches
Vulnerability mechanics
References
3- github.com/advisories/GHSA-6457-6jrx-69crghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-30951ghsaADVISORY
- github.com/sequelize/sequelize/security/advisories/GHSA-6457-6jrx-69crghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.