GMS-2020-770: SQL Injection via GeoJSON in sequelize

September 1, 2020 (updated September 23, 2021)

Affected versions of sequelize are vulnerable to SQL Injection in Models that have fields with the GEOMETRY DataType. This vulnerability occurs because single quotes in document values are not escaped for GeoJSON documents using ST_GeomFromGeoJSON, and MySQL GeoJSON documents using GeomFromText.

Recommendation

Update to version 3.23.6 or later.

References

github.com/advisories/GHSA-5v9h-q3gj-c32x
github.com/sequelize/sequelize/issues/6194
nvd.nist.gov/vuln/detail/CVE-2016-1000225
snyk.io/vuln/npm:sequelize:20160718
www.npmjs.com/advisories/122

Code Behaviors & Features

Detect and mitigate GMS-2020-770 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →