Impact

Sequelize 6.28.2 and prior has a dangerous feature where using parentheses in the attribute option would make Sequelize use the string as-is in the SQL

User.findAll({
  attributes: [
    ['count(id)', 'count']
  ]
});

Produced

SELECT count(id) AS "count" FROM "users"

Patches

This feature was deprecated in Sequelize 5, and using it prints a deprecation warning.

This issue has been patched in @sequelize/core@7.0.0.alpha-20 and sequelize@6.29.0.

In Sequelize 7, it now produces the following:

SELECT "count(id)" AS "count" FROM "users"

In Sequelize 6, it throws an error explaining that we had to introduce a breaking change, and requires the user to explicitly opt-in to either the Sequelize 7 behavior (always escape) or the Sequelize 5 behavior (inline attributes that include () without escaping). See sequelize/sequelize#15710 for more information.

Mitigations

Do not use user-provided content to build your list or attributes. If you do, make sure that attribute in question actually exists on your model by checking that it exists in the rawAttributes property of your model first.

A discussion thread about this issue is open at sequelize/sequelize#15694
CVE: CVE-2023-22578

References

• GHSA-f598-mfpv-gmfx
• https://nvd.nist.gov/vuln/detail/CVE-2023-22578
• sequelize/sequelize#15710
• https://csirt.divd.nl/CVE-2023-22578
• https://csirt.divd.nl/DIVD-2022-00020/
• sequelize/sequelize#15694
• https://github.com/sequelize/sequelize/releases/tag/v6.29.0
• https://github.com/sequelize/sequelize/releases/tag/v7.0.0-alpha.20