CVE-2023-22578 & CVE-2023-25813: Critical SQLi flaws in Sequelize

CVE-2023-25813

Three critical vulnerabilities in Sequelize may allow a remote attacker to execute arbitrary SQL queries on the database.

With more than 18.600 monthly downloads, Sequelize is an easy-to-use and promise-based Node.js ORM tool for Postgres, MySQL, MariaDB, SQLite, DB2, Microsoft SQL Server, Snowflake, Oracle DB, and Db2 for IBM i. It features solid transaction support, relations, eager and lazy loading, read replication, and more.

Security researchers discovered CVE-2023-22578 and CVE-2023-25813, two critical-severity defects in Sequelize assessed with a CVSS score of 10 and which should put all Sequelize users on alert, due to their potential widespread impact.

The root cause of the CVE-2023-22578 vulnerability resides in improper attribute filtering in the sequelize js library, an attacker can perform SQL injections. This issue can be mitigated by not accepting untrusted input.

The Sequelize developers were addressed with the release of Sequelize version 7.0.0-alpha.20 on December 22, 2022, but technical details on the bug have not been provided until now.

The root cause of the CVE-2023-25813 flaw resides in the replacements statement. It allowed a malicious actor to pass dangerous values such as OR true; DROP TABLE users through replacements which would result in arbitrary SQL execution. The bug affects the Sequelize version prior to 6.19.1 and was addressed with the release of Sequelize version 6.19.2 on May 18, 2022. To mitigate the risk, if you are not using Sequelize >= 6.19.2, you should not use the replacements and the where option in the same query.

Another critical bug, tracked as CVE-2023-22579 (CVSS score of 9.9), is described as an Access of Resource Using Incompatible Type (‘Type Confusion’) flaw due to improper user-input sanitization, due to unsafe fall-through in GET WHERE conditions. It has been addressed in versions 7.0.0-alpha.20, and 6.28.1 released on Wednesday.

In light of the critical nature of the vulnerability, users are recommended to update to the latest version as soon as possible to mitigate possible threats.