CVE-2023-22579
Incorrect Authorization vulnerability in sequelize (npm)
What is CVE-2023-22579 About?
This vulnerability in Sequelize allows an invalid value provided to a query's `where` option to be ignored instead of throwing an error. This can lead to unexpected query behavior where filtering conditions are silently bypassed, potentially resulting in unauthorized data access or modification. Exploitation difficulty is low, as it only requires providing an invalid, non-object value to the `where` clause.
Affected Software
- sequelize
- <6.28.1
- @sequelize/core
- <7.0.0-alpha.20
Technical Details
The vulnerability occurs within Sequelize, affecting how it processes the where option in database queries. Specifically, if a non-plain JavaScript object value (e.g., a Date object) is passed to the top-level where option, Sequelize fails to validate this input correctly. Instead of throwing an error, it silently disregards the specified where condition entirely, causing the query to execute without the intended filtering. This bypasses the security mechanism of the where clause, potentially exposing more data than authorized or applying operations more broadly than intended.
What is the Impact of CVE-2023-22579?
Successful exploitation may allow attackers to bypass intended data filtering, retrieve or modify unauthorized data, or perform actions with broader scope than permitted.
What is the Exploitability of CVE-2023-22579?
Exploitation is of low complexity. An attacker simply needs to provide an invalid, non-object value (such as new Date()) to the where clause of a Sequelize query. There are no authentication or privilege requirements beyond what is needed to execute a query against the affected application. This vulnerability is typically remote if the application exposes an interface allowing users to influence query parameters. The primary risk factor is applications constructing database queries based on user-supplied data without adequate type validation or error handling for the where option.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-22579?
About the Fix from Resolved Security
This patch changes the behavior when an unsupported value is passed to the where option in Sequelize's query generator from returning a default tautology ('1=1') to throwing an explicit error. By enforcing an error, it prevents attackers from exploiting the vulnerability identified as CVE-2023-22579, which allowed unintended, possibly insecure SQL queries to be generated by accepting inappropriate inputs in certain query conditions.
Available Upgrade Options
- sequelize
- <6.28.1 → Upgrade to 6.28.1
- @sequelize/core
- <7.0.0-alpha.20 → Upgrade to 7.0.0-alpha.20
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/sequelize/sequelize/pull/15699
- https://github.com/sequelize/sequelize/releases/tag/v6.28.1
- https://csirt.divd.nl/CVE-2023-22579
- https://csirt.divd.nl/DIVD-2022-00020/
- https://github.com/sequelize/sequelize/discussions/15698
- https://github.com/sequelize/sequelize/releases/tag/v7.0.0-alpha.20
- https://osv.dev/vulnerability/GHSA-vqfx-gj96-3w95
- https://github.com/sequelize/sequelize/pull/15375
- https://csirt.divd.nl/DIVD-2022-00020
- https://github.com/sequelize/sequelize/security/advisories/GHSA-vqfx-gj96-3w95
What are Similar Vulnerabilities to CVE-2023-22579?
Similar Vulnerabilities: CVE-2023-22578 , CVE-2022-25925 , CVE-2022-25926 , CVE-2021-23429 , CVE-2020-28499
