Login Sign Up

CVE-2023-25813

10.0 CRITICAL
SQL Injection

📋 TL;DR

CVE-2023-25813 is a critical SQL injection vulnerability in Sequelize ORM for Node.js where user-provided parameters passed through replacements are not properly escaped. This allows attackers to execute arbitrary SQL commands on databases. All applications using Sequelize versions before 6.19.1 with the vulnerable replacement feature are affected.

💻 Affected Systems

Products:
  • Sequelize ORM
Versions: All versions prior to 6.19.1
Operating Systems: All platforms running Node.js
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects queries using both replacements and where options together. Applications using only one or the other are not vulnerable.

📦 What is this software?

Sequelize by Sequelizejs

View all CVEs affecting Sequelize →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, data destruction, privilege escalation, and potential remote code execution through database functions.

🟠

Likely Case

Data exfiltration, data manipulation, authentication bypass, and potential lateral movement within the database environment.

🟢

If Mitigated

Limited impact with proper input validation, parameterized queries, and database user privilege restrictions.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires user input to reach vulnerable query construction. Public proof-of-concept exists in GitHub issues.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.19.1

Vendor Advisory: https://github.com/sequelize/sequelize/security/advisories/GHSA-wrh9-cjv3-2hpw

Restart Required: Yes

Instructions:

1. Update package.json to specify sequelize version 6.19.1 or higher. 2. Run npm update sequelize or yarn upgrade sequelize. 3. Restart your Node.js application.

🔧 Temporary Workarounds

Avoid replacements with where clauses

all

Do not use replacements parameter together with where option in Sequelize queries

🧯 If You Can't Patch

  • Implement strict input validation and sanitization for all user inputs
  • Use parameterized queries instead of replacements feature

🔍 How to Verify

Check if Vulnerable:

Check package.json or run npm list sequelize to verify version is below 6.19.1

Check Version:

npm list sequelize | grep sequelize

Verify Fix Applied:

Confirm sequelize version is 6.19.1 or higher via npm list sequelize

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL query patterns
  • Multiple failed login attempts with SQL-like syntax
  • Database errors containing user input

Network Indicators:

  • Unusual database connection patterns
  • Large data transfers from database server

SIEM Query:

source="application.log" AND ("SQL syntax" OR "sequelize" OR "database error") AND (user_input OR replacements)

📊 Metadata

CVE ID: CVE-2023-25813
CVSS v3 Score: 10.0 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CWE: CWE-89
Published: February 22, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-25813, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)