===================================================================== CERT-Renater Note d'Information No. 2023/VULN096 _____________________________________________________________________ DATE : 23/02/2023 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Sequelize versions prior to 6.19.1, 6.28.1, sequelize/core versions prior to 7.0.0-alpha.20. ===================================================================== https://github.com/sequelize/sequelize/security/advisories/GHSA-wrh9-cjv3-2hpw https://github.com/sequelize/sequelize/security/advisories/GHSA-vqfx-gj96-3w95 _____________________________________________________________________ SQL Injection via replacements Critical ephys published GHSA-wrh9-cjv3-2hpw Package sequelize (npm) Affected versions < 6.19.1 Patched versions 6.19.1 Description Impact The SQL injection exploit is related to replacements. Here is such an example: In the following query, some parameters are passed through replacements, and some are passed directly through the where option. User.findAll({ where: or( literal('soundex("firstName") = soundex(:firstName)'), { lastName: lastName }, ), replacements: { firstName }, }) This is a very legitimate use case, but this query was vulnerable to SQL injection due to how Sequelize processed the query: Sequelize built a first query using the where option, then passed it over to sequelize.query which parsed the resulting SQL to inject all :replacements. If the user passed values such as { "firstName": "OR true; DROP TABLE users;", "lastName": ":firstName" } Sequelize would first generate this query: SELECT * FROM users WHERE soundex("firstName") = soundex(:firstName) OR "lastName" = ':firstName' Then would inject replacements in it, which resulted in this: SELECT * FROM users WHERE soundex("firstName") = soundex('OR true; DROP TABLE users;') OR "lastName" = ''OR true; DROP TABLE users;'' As you can see this resulted in arbitrary user-provided SQL being executed. Patches The issue was fixed in Sequelize 6.19.2 Workarounds Do not use the replacements and the where option in the same query if you are not using Sequelize >= 6.19.2. References See this thread for more information: #14519 Snyk: https://security.snyk.io/vuln/SNYK-JS-SEQUELIZE-2932027 Severity Critical 10.0/ 10 CVSS base metrics Attack vector Network Attack complexity Low Privileges required User interaction None Scope Changed Confidentiality High Integrity High Availability High CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H CVE ID CVE-2023-25813 Weaknesses CWE-89 Credits @ephys ephys _____________________________________________________________________ CVE-2023-22579 - Unsafe fall-through in getWhereConditions Critical ephys published GHSA-vqfx-gj96-3w95 Package @sequelize/core (npm) Affected versions < 7.0.0-alpha.20 Patched versions 7.0.0-alpha.20 sequelize (npm) Affected versions < 6.28.1 Patched versions 6.28.1 Description Impact Providing an invalid value to the where option of a query caused Sequelize to ignore that option instead of throwing an error. A finder call like the following did not throw an error: User.findAll({ where: new Date(), }); As this option is typically used with plain javascript objects, be aware that this only happens at the top level of this option. Patches This issue has been patched in sequelize@6.28.1 & @sequelize/core@7.0.0.alpha-20 References A discussion thread about this issue is open at #15698 CVE: CVE-2023-22579 Snyk: https://security.snyk.io/vuln/SNYK-JS-SEQUELIZE-3324090 Severity Critical 9.9/ 10 CVSS base metrics Attack vector Network Attack complexity Low Privileges required Low User interaction None Scope Changed Confidentiality High Integrity High Availability High CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVE ID CVE-2023-22579 Weaknesses CWE-843 ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================