N/A

CVSS Score

Basic Information

CVE ID

CVE-2016-10550

GHSA ID

GHSA-98pq-pmw9-4gpm

EPSS Score

0.65488%

CWE

CWE-89

Published

2/18/2019

Updated

1/9/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2016-10550

CVE-2016-10550: SQL Injection in sequelize

Affected versions of sequelize are vulnerable to SQL Injection in locations where user input is passed into the limit or order parameters of sequelize query calls, such as findOne or findAll.

Recommendation

Update to version 3.17.0 or later.

(GitHub Advisory)

N/A

CVSS Score

Basic Information

CVE ID

CVE-2016-10550

GHSA ID

GHSA-98pq-pmw9-4gpm

EPSS Score

0.65488%

CWE

CWE-89

Published

2/18/2019

Updated

1/9/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
sequelize	npm	< 3.17.0	3.17.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from unescaped user input in LIMIT/OFFSET clauses. The commit diff shows critical changes where limit/offset parameters were wrapped in escape() calls across multiple dialects' query generators. The affected functions directly interpolated user-controlled values into SQL fragments without proper sanitization, particularly in the abstract base implementation and dialect-specific implementations for MSSQL, PostgreSQL, and SQLite. The added test cases in offset-limit.test.js verify proper escaping of malicious values, confirming these were the vulnerable points.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*****t** v*rsions o* `s*qu*liz*` *r* vuln*r**l* to SQL Inj**tion in lo**tions w**r* us*r input is p*ss** into t** `limit` or `or**r` p*r*m*t*rs o* `s*qu*liz*` qu*ry **lls, su** *s `*in*On*` or `*in**ll`. ## R**omm*n**tion Up**t* to v*rsion *.**.*

Reasoning

T** vuln*r**ility st*ms *rom un*s**p** us*r input in LIMIT/O**S*T *l*us*s. T** *ommit *i** s*ows *riti**l ***n**s w**r* limit/o**s*t p*r*m*t*rs w*r* wr*pp** in `*s**p*()` **lls **ross multipl* *i*l**ts' qu*ry **n*r*tors. T** *****t** *un*tions *ir**t

N/A

Basic Information

Concerned about an active attack path?

CVE-2016-10550: SQL Injection in sequelize

Recommendation

N/A

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI