GHSA-WRH9-CJV3-2HPW

Vulnerability from github – Published: 2023-02-22 22:59 – Updated: 2023-02-22 22:59
VLAI?
Summary
Sequelize vulnerable to SQL Injection via replacements
Details

Impact

The SQL injection exploit is related to replacements. Here is such an example:

In the following query, some parameters are passed through replacements, and some are passed directly through the where option.

User.findAll({
  where: or(
    literal('soundex("firstName") = soundex(:firstName)'),
    { lastName: lastName },
  ),
  replacements: { firstName },
})

This is a very legitimate use case, but this query was vulnerable to SQL injection due to how Sequelize processed the query: Sequelize built a first query using the where option, then passed it over to sequelize.query which parsed the resulting SQL to inject all :replacements.

If the user passed values such as

{
  "firstName": "OR true; DROP TABLE users;",
  "lastName": ":firstName"
}

Sequelize would first generate this query:

SELECT * FROM users WHERE soundex("firstName") = soundex(:firstName) OR "lastName" = ':firstName'

Then would inject replacements in it, which resulted in this:

SELECT * FROM users WHERE soundex("firstName") = soundex('OR true; DROP TABLE users;') OR "lastName" = ''OR true; DROP TABLE users;''

As you can see this resulted in arbitrary user-provided SQL being executed.

Patches

The issue was fixed in Sequelize 6.19.1

Workarounds

Do not use the replacements and the where option in the same query if you are not using Sequelize >= 6.19.1

References

See this thread for more information: https://github.com/sequelize/sequelize/issues/14519

Snyk: https://security.snyk.io/vuln/SNYK-JS-SEQUELIZE-2932027

Severity ?
10.0 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "sequelize"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.19.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-25813"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-89"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-02-22T22:59:09Z",
    "nvd_published_at": "2023-02-22T19:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "### Impact\n\nThe SQL injection exploit is related to replacements. Here is such an example: \n\nIn the following query, some parameters are passed through replacements, and some are passed directly through the `where` option.\n\n```typescript\nUser.findAll({\n  where: or(\n    literal(\u0027soundex(\"firstName\") = soundex(:firstName)\u0027),\n    { lastName: lastName },\n  ),\n  replacements: { firstName },\n})\n```\n\nThis is a very legitimate use case, but this query was vulnerable to SQL injection due to how Sequelize processed the query: Sequelize built a first query using the `where` option, then passed it over to `sequelize.query` which parsed the resulting SQL to inject all `:replacements`.\n\nIf the user passed values such as\n\n```json\n{\n  \"firstName\": \"OR true; DROP TABLE users;\",\n  \"lastName\": \":firstName\"\n}\n```\n\nSequelize would first generate this query:\n\n```sql\nSELECT * FROM users WHERE soundex(\"firstName\") = soundex(:firstName) OR \"lastName\" = \u0027:firstName\u0027\n```\n\nThen would inject replacements in it, which resulted in this:\n\n```sql\nSELECT * FROM users WHERE soundex(\"firstName\") = soundex(\u0027OR true; DROP TABLE users;\u0027) OR \"lastName\" = \u0027\u0027OR true; DROP TABLE users;\u0027\u0027\n```\n\nAs you can see this resulted in arbitrary user-provided SQL being executed.\n\n### Patches\n\nThe issue was fixed in Sequelize 6.19.1\n\n### Workarounds\n\nDo not use the `replacements` and the `where` option in the same query if you are not using Sequelize \u003e= 6.19.1 \n\n### References\n\nSee this thread for more information: https://github.com/sequelize/sequelize/issues/14519\n\nSnyk: https://security.snyk.io/vuln/SNYK-JS-SEQUELIZE-2932027",
  "id": "GHSA-wrh9-cjv3-2hpw",
  "modified": "2023-02-22T22:59:09Z",
  "published": "2023-02-22T22:59:09Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/sequelize/sequelize/security/advisories/GHSA-wrh9-cjv3-2hpw"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25813"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sequelize/sequelize/issues/14519"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sequelize/sequelize/commit/ccaa3996047fe00048d5993ab2dd43ebadd4f78b"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/sequelize/sequelize"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sequelize/sequelize/releases/tag/v6.19.1"
    },
    {
      "type": "WEB",
      "url": "https://security.snyk.io/vuln/SNYK-JS-SEQUELIZE-2932027"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Sequelize vulnerable to SQL Injection via replacements"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.