CVE-2016-10554: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

February 18, 2019 (updated January 8, 2021)

sequelize is an Object-relational mapping, or a middleman to convert things from Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server into usable data for NodeJS. Before version 1.7.0-alpha3, sequelize defaulted SQLite to use MySQL backslash escaping, even though SQLite uses Postgres escaping.

References

github.com/advisories/GHSA-x2jc-pwfj-h9p3
github.com/sequelize/sequelize/commit/c876192aa6ce1f67e22b26a4d175b8478615f42d
nodesecurity.io/advisories/113
nvd.nist.gov/vuln/detail/CVE-2016-10554
www.npmjs.com/advisories/113

Code Behaviors & Features

Detect and mitigate CVE-2016-10554 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →