CVE-2016-10550: SQL Injection in sequelize
N/A
CVSS Score
Basic Information
CVE ID
GHSA ID
EPSS Score
0.65488%
CWE
Published
2/18/2019
Updated
1/9/2023
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
-
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
sequelize | npm | < 3.17.0 | 3.17.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from unescaped user input in LIMIT/OFFSET clauses. The commit diff shows critical changes where limit/offset parameters were wrapped in escape()
calls across multiple dialects' query generators. The affected functions directly interpolated user-controlled values into SQL fragments without proper sanitization, particularly in the abstract base implementation and dialect-specific implementations for MSSQL, PostgreSQL, and SQLite. The added test cases in offset-limit.test.js
verify proper escaping of malicious values, confirming these were the vulnerable points.