CVE-2023-25813
SQL injection vulnerability in sequelize (npm)
What is CVE-2023-25813 About?
This vulnerability is a SQL injection flaw in Sequelize, allowing arbitrary SQL commands to be executed. It arises when combining `where` options with `replacements` in certain query structures. The impact is severe, potentially leading to data manipulation or complete database compromise, and exploitation is demonstrated through specific crafted input.
Affected Software
Technical Details
The SQL injection occurs in Sequelize versions prior to 6.19.1 when a query uses both replacements and the where option, particularly with literal statements that include named parameters (e.g., :firstName). Sequelize's processing order is the root cause: it first builds the SQL from the where option, then passes this SQL to sequelize.query for replacement injection. If an attacker provides a crafted string like "OR true; DROP TABLE users;" for a replacement parameter and a reference to that parameter in the where clause's non-literal part (e.g., { lastName: lastName } where lastName is ':firstName'), the replacement process misinterprets the resulting SQL, injecting the malicious string directly into the SQL statement, leading to arbitrary SQL execution.
What is the Impact of CVE-2023-25813?
Successful exploitation may allow attackers to execute arbitrary SQL commands, view, alter, or delete database contents, or escalate privileges within the database environment.
What is the Exploitability of CVE-2023-25813?
Exploitation is of medium complexity, requiring an understanding of how Sequelize processes queries with combined where and replacements options. No specific authentication or high privileges are inherently required if the attacker can control the input parameters to the vulnerable Sequelize query. This is a remote vulnerability, as the attacker needs to provide malicious input to the application. The critical condition is the application utilizing a vulnerable version of Sequelize and constructing queries with both where and replacements where user-controlled input can propagate into both sections. The likelihood of exploitation is increased if applications frequently combine these query mechanisms with untrusted user input.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| White-BAO | Link | 12 |
| bde574786 | Link | PoC for CVE-2023-25813 |
| pbj2647 | Link | PoC for CVE-2023-25813 |
What are the Available Fixes for CVE-2023-25813?
About the Fix from Resolved Security
The patch replaces the previous ad-hoc SQL replacements logic with a new injectReplacements implementation that accurately detects and escapes replacement tokens only in appropriate SQL contexts, avoiding replacements inside strings, comments, or identifiers. This prevents malicious input from being incorrectly inlined as SQL code, thereby addressing the SQL injection risk described in CVE-2023-25813.
Available Upgrade Options
- sequelize
- <6.19.1 → Upgrade to 6.19.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/sequelize/sequelize/issues/14519
- https://github.com/sequelize/sequelize/commit/ccaa3996047fe00048d5993ab2dd43ebadd4f78b
- https://nvd.nist.gov/vuln/detail/CVE-2023-25813
- https://security.snyk.io/vuln/SNYK-JS-SEQUELIZE-2932027
- https://osv.dev/vulnerability/GHSA-wrh9-cjv3-2hpw
- https://github.com/sequelize/sequelize/security/advisories/GHSA-wrh9-cjv3-2hpw
- https://github.com/sequelize/sequelize/issues/14519
- https://github.com/sequelize/sequelize/releases/tag/v6.19.1
- https://github.com/sequelize/sequelize/security/advisories/GHSA-wrh9-cjv3-2hpw
- https://github.com/sequelize/sequelize
What are Similar Vulnerabilities to CVE-2023-25813?
Similar Vulnerabilities: CVE-2021-22926 , CVE-2021-2470 , CVE-2020-0796 , CVE-2020-11022 , CVE-2020-14364
