10

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-22578

CVE-2023-22578: Sequelize - Default support for “raw attributes” when using parentheses

Impact

Sequelize 6.28.2 and prior has a dangerous feature where using parentheses in the attribute option would make Sequelize use the string as-is in the SQL

User.findAll({
  attributes: [
    ['count(id)', 'count']
  ]
});

Produced

SELECT count(id) AS "count" FROM "users"

Patches

This feature was deprecated in Sequelize 5, and using it prints a deprecation warning.

This issue has been patched in @sequelize/core@7.0.0.alpha-20 and sequelize@6.29.0.

In Sequelize 7, it now produces the following:

SELECT "count(id)" AS "count" FROM "users"

In Sequelize 6, it throws an error explaining that we had to introduce a breaking change, and requires the user to explicitly opt-in to either the Sequelize 7 behavior (always escape) or the Sequelize 5 behavior (inline attributes that include () without escaping). See https://github.com/sequelize/sequelize/pull/15710 for more information.

Mitigations

Do not use user-provided content to build your list or attributes. If you do, make sure that attribute in question actually exists on your model by checking that it exists in the rawAttributes property of your model first.

A discussion thread about this issue is open at https://github.com/sequelize/sequelize/discussions/15694 CVE: CVE-2023-22578

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2023-22578

CVE-2023-22578:

10

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
@sequelize/core	npm	< 7.0.0-alpha.20	7.0.0-alpha.20
sequelize	npm	< 6.29.0	6.29.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from how Sequelize processes the attributes option in query methods like findAll. The attributeToSQL function in the query generator is responsible for converting attribute definitions into SQL fragments. In vulnerable versions, attributes with parentheses (e.g., count(id)) were treated as raw SQL instead of being escaped as identifiers. This allowed attackers to inject arbitrary SQL via user-controlled input in the attributes array. The patch in v6.29.0 introduced explicit checks for parentheses in this function, and v7.0.0 enforced escaping. The function's role in attribute processing and the patch's focus on it confirm its vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

10

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2023-22578: Sequelize - Default support for “raw attributes” when using parentheses

Impact

Patches

Mitigations

CVE-2023-22578:

10

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

CVE-2023-22578: Sequelize - Default support for “raw attributes” when using parentheses

Impact

Patches

Mitigations

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

10

10

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI