N/A

CVSS Score

Basic Information

CVE ID

CVE-2016-10553

GHSA ID

GHSA-2v7q-2xqx-f4q5

EPSS Score

0.51077%

CWE

CWE-89

Published

2/18/2019

Updated

1/9/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2016-10553

CVE-2016-10553: Potential SQL Injection in sequelize

Affected versions of sequelize are vulnerable to SQL Injection when user input is passed into findOne or into a statement such as where: "user input".

Recommendation

Update to version 3.0.0 or later.

Version 3.0.0 will introduce a number of breaking changes. Thankfully, the project authors have provided a 2.x -> 3.x upgrade guide to ease this transition.

If upgrading is not an option, it is also possible to mitigate this by ensuring that all uses of where: "input" and findOne("input") are properly sanitized, such as by the use of a wrapper function.

(GitHub Advisory)

N/A

CVSS Score

Basic Information

CVE ID

CVE-2016-10553

GHSA ID

GHSA-2v7q-2xqx-f4q5

EPSS Score

0.51077%

CWE

CWE-89

Published

2/18/2019

Updated

1/9/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
sequelize	npm	<= 2.1.3	3.0.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The provided patches (29b6a54 and 2798738) do not address the SQL injection vulnerability (CVE-2016-10553) described in the advisory. The first commit fixes a delimiter collision in PostgreSQL function generation, and the second addresses a regression in timestamp handling. Neither patch modifies the findOne method or where clause processing, which are the vectors explicitly called out in the vulnerability description. The actual fix for CVE-2016-10553 likely resides in Sequelize 3.0.0's changes to input sanitization in query construction, but these changes are not present in the analyzed patches. Without direct evidence of vulnerable code paths in the provided diffs, no functions can be confidently identified for runtime detection.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*****t** v*rsions o* `s*qu*liz*` *r* vuln*r**l* to SQL Inj**tion w**n us*r input is p*ss** into `*in*On*` or into * st*t*m*nt su** *s `w**r*: "us*r input"`. ## R**omm*n**tion Up**t* to v*rsion *.*.* or l*t*r. V*rsion *.*.* will intro*u** * num**

Reasoning

T** provi*** p*t***s (******* *n* *******) *o not ***r*ss t** SQL inj**tion vuln*r**ility (*V*-****-*****) **s*ri*** in t** **visory. T** *irst *ommit *ix*s * **limit*r *ollision in Post*r*SQL *un*tion **n*r*tion, *n* t** s**on* ***r*ss*s * r**r*ssio

N/A

Basic Information

Concerned about an active attack path?

CVE-2016-10553: Potential SQL Injection in sequelize

Recommendation

N/A

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI