CVE-2023-22578
SQL Injection vulnerability in core (npm)
What is CVE-2023-22578 About?
This vulnerability in Sequelize 6.28.2 and prior features dangerous behavior where parentheses in the `attribute` option lead to direct SQL injection. This allows attackers to manipulate SQL queries by injecting arbitrary SQL code, potentially leading to data exfiltration or modification. Exploitation is straightforward for attackers who can control the `attribute` option.
Affected Software
- @sequelize/core
- <7.0.0-alpha.20
- sequelize
- <6.29.0
Technical Details
The vulnerability stems from a dangerous feature in Sequelize versions 6.28.2 and earlier. If parentheses are included within an attribute option, Sequelize incorrectly interprets the string as raw SQL and injects it directly into the query without proper escaping. For example, ['count(id)', 'count'] would be rendered as SELECT count(id) AS "count" instead of SELECT "count(id)" AS "count". This allows an attacker who can control the attribute option to inject arbitrary SQL statements, bypassing the ORM's sanitization and enabling SQL Injection.
What is the Impact of CVE-2023-22578?
Successful exploitation may allow attackers to perform SQL injection, execute arbitrary database commands, access, modify, or delete sensitive data, or bypass authentication.
What is the Exploitability of CVE-2023-22578?
Exploitation complexity is low. An attacker needs to control the attribute option in a Sequelize query and inject valid SQL containing parentheses (e.g., ['1=1 OR 1=1; --', 'dummy']). No specific authentication or privilege requirements exist beyond having the ability to interact with an application that constructs a Sequelize query using user-influenced attribute parameters. This is typically a remote vulnerability if the application exposes query parameter influence to external users. The primary risk factor is the use of user-provided content to build attribute lists in Sequelize queries without explicit validation or the recommended mitigation strategies.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-22578?
About the Fix from Resolved Security
The patch ensures that identifiers are always properly quoted, and that the special * identifier is handled safely, preventing arbitrary SQL injection via unquoted attributes. By enforcing identifier quoting and requiring the use of safe constructs like sequelize.fn() for SQL functions, it eliminates the conditions that led to CVE-2023-22578—where attackers could inject malicious SQL via crafted attribute names. This resolves the vulnerability by making injection attempts inert through contextual escaping.
Available Upgrade Options
- @sequelize/core
- <7.0.0-alpha.20 → Upgrade to 7.0.0-alpha.20
- sequelize
- <6.29.0 → Upgrade to 6.29.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/sequelize/sequelize/security/advisories/GHSA-f598-mfpv-gmfx
- https://csirt.divd.nl/CVE-2023-22578
- https://github.com/sequelize/sequelize/pull/15710
- https://nvd.nist.gov/vuln/detail/CVE-2023-22578
- https://github.com/sequelize/sequelize/releases/tag/v6.29.0
- https://osv.dev/vulnerability/GHSA-f598-mfpv-gmfx
- https://csirt.divd.nl/CVE-2023-22578
- https://csirt.divd.nl/DIVD-2022-00020/
- https://csirt.divd.nl/DIVD-2022-00020
- https://github.com/sequelize/sequelize/releases/tag/v7.0.0-alpha.20
What are Similar Vulnerabilities to CVE-2023-22578?
Similar Vulnerabilities: CVE-2023-22579 , CVE-2022-29774 , CVE-2022-26166 , CVE-2021-43224 , CVE-2021-39182
