Login Sign Up

CVE-2023-6293

7.1 HIGH

📋 TL;DR

This CVE describes a prototype pollution vulnerability in the sequelize-typescript library versions prior to 2.1.6. Attackers can inject malicious properties into JavaScript objects, potentially leading to remote code execution or privilege escalation. Applications using vulnerable versions of this TypeScript ORM library are affected.

💻 Affected Systems

Products:
  • sequelize-typescript
Versions: All versions prior to 2.1.6
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects applications using the sequelize-typescript library with untrusted user input.

📦 What is this software?

Sequelize Typescript by Sequelizejs

View all CVEs affecting Sequelize Typescript →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data exfiltration, or lateral movement within the network.

🟠

Likely Case

Denial of service, data manipulation, or privilege escalation within the application context.

🟢

If Mitigated

Limited impact due to input validation, sandboxing, or other security controls preventing successful exploitation.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires attacker to control input that gets processed by vulnerable library functions.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.1.6

Vendor Advisory: https://github.com/robinbuschmann/sequelize-typescript/commit/5ce8afdd1671b08c774ce106b000605ba8fccf78

Restart Required: Yes

Instructions:

1. Update package.json to specify sequelize-typescript version 2.1.6 or higher. 2. Run npm update sequelize-typescript or yarn upgrade sequelize-typescript. 3. Restart your application server.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement strict input validation and sanitization for all user-controlled data before passing to sequelize-typescript functions.

🧯 If You Can't Patch

  • Implement strict input validation and sanitization for all user inputs
  • Deploy web application firewall (WAF) rules to detect and block prototype pollution attempts

🔍 How to Verify

Check if Vulnerable:

Check package.json or package-lock.json for sequelize-typescript version. If version is less than 2.1.6, you are vulnerable.

Check Version:

npm list sequelize-typescript

Verify Fix Applied:

After updating, verify that sequelize-typescript version is 2.1.6 or higher in package.json and that the application starts without errors.

📡 Detection & Monitoring

Log Indicators:

  • Unusual property assignments in JavaScript objects
  • Unexpected prototype modifications
  • Application crashes or unexpected behavior

Network Indicators:

  • HTTP requests with unusual property names or nested structures
  • Requests attempting to modify __proto__ or constructor properties

SIEM Query:

source="application_logs" AND ("__proto__" OR "constructor" OR "prototype") AND status="error"

📊 Metadata

CVE ID: CVE-2023-6293
CVSS v3 Score: 7.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
CWE: CWE-1321
Published: November 24, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-6293, you might also want to check these:

CVE-2024-38999 10.0

CVE-2024-38999 is a prototype pollution vulnerability in requirejs v2.3.6 that allows attackers to i...

Same vulnerability type (CWE-1321)
CVE-2024-39008 10.0

CVE-2024-39008 is a prototype pollution vulnerability in robinweser's fast-loops library version 1.1...

Same vulnerability type (CWE-1321)
CVE-2021-25953 9.8

CVE-2021-25953 is a prototype pollution vulnerability in the 'putil-merge' npm package that allows a...

Same vulnerability type (CWE-1321)