CVE-2019-10748
SQL Injection vulnerability in sequelize (npm)
What is CVE-2019-10748 About?
Affected versions of `sequelize` are vulnerable to SQL Injection. The package fails to sanitize JSON path keys in the MariaDB and MySQL dialects, enabling attackers to inject SQL statements and execute arbitrary SQL queries. This vulnerability can lead to data theft, modification, or denial of service, and is relatively easy to exploit if attacker-controlled input is used in JSON path keys.
Affected Software
- sequelize
- <3.35.1
- >4.0.0, <4.44.3
- >5.0.0, <5.8.11
Technical Details
Affected versions of the sequelize ORM are vulnerable to SQL Injection, specifically impacting the MariaDB and MySQL dialects. The vulnerability arises because the package fails to properly sanitize JSON path keys when constructing SQL queries. An attacker can supply specially crafted input containing SQL metacharacters within the JSON path keys. When sequelize processes this input to build a query, it directly incorporates the unsanitized JSON path into the SQL statement. This allows the attacker to break out of the intended JSON path context and inject arbitrary SQL clauses, leading to the execution of unintended SQL commands. This can result in data exfiltration, data manipulation, privilege escalation, or full compromise of the database.
What is the Impact of CVE-2019-10748?
Successful exploitation may allow attackers to execute arbitrary SQL queries, leading to data exfiltration, unauthorized data modification, or complete compromise of the database.
What is the Exploitability of CVE-2019-10748?
Exploitation of this SQL Injection vulnerability is of moderate complexity. An attacker must be able to control input that is used as a JSON path key within a sequelize query targeting a MariaDB or MySQL database. There are no inherent authentication or privilege requirements beyond what is necessary to interact with an application endpoint that uses the vulnerable sequelize query. This is typically a remote exploit scenario, where an attacker injects malicious JSON path keys via HTTP request parameters, JSON body fields, or other user-controlled input channels. The primary prerequisite is the use of a vulnerable sequelize version with MariaDB or MySQL, and the construction of queries where user input directly influences JSON path keys without proper sanitization/escaping. This is a significant risk factor, as SQL injection can lead to complete database compromise.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2019-10748?
Available Upgrade Options
- sequelize
- <3.35.1 → Upgrade to 3.35.1
- sequelize
- >4.0.0, <4.44.3 → Upgrade to 4.44.3
- sequelize
- >5.0.0, <5.8.11 → Upgrade to 5.8.11
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nvd.nist.gov/vuln/detail/CVE-2019-10748
- https://snyk.io/vuln/SNYK-JS-SEQUELIZE-450221
- https://osv.dev/vulnerability/GHSA-j9xp-92vc-559j
- https://github.com/sequelize/sequelize/pull/11089,
- https://www.npmjs.com/advisories/1018
- https://github.com/sequelize/sequelize/commit/a72a3f5%2C
- https://github.com/sequelize/sequelize/commit/a72a3f5,
- https://github.com/sequelize/sequelize/pull/11089%2C
- https://snyk.io/vuln/SNYK-JS-SEQUELIZE-450221
What are Similar Vulnerabilities to CVE-2019-10748?
Similar Vulnerabilities: CVE-2023-45803 , CVE-2023-37905 , CVE-2023-35661 , CVE-2023-33908 , CVE-2023-28682
