Sequelize v5.15.1 Release Notes
Release Date: 2019-08-18 // over 4 years ago-
5.15.1 (2019-08-18)
๐ Security
๐ This fixes a security issue with
sequelize.json()
for MySQL. Old code was still used for formatting sub paths for json queries when used withsequelize.json()
helper functionExample of attack vector
return User.findAll({ where: this.sequelize.json("data.id')) AS DECIMAL) = 1 DELETE YOLO INJECTIONS; -- ", 1) });
๐ Thanks to @Kirill89 from Snyk Security Research Team for reporting this issue.