CVE-2026-30951
📋 TL;DR
This SQL injection vulnerability in Sequelize allows attackers who control JSON object keys to inject arbitrary SQL queries through unescaped cast type processing. This can lead to data exfiltration from any database table accessible to the application. All applications using vulnerable Sequelize versions with JSON/JSONB where clause processing are affected.
💻 Affected Systems
- Sequelize
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including data exfiltration, modification, or deletion of all tables accessible to the application database user.
Likely Case
Data exfiltration from database tables, potentially exposing sensitive information like user credentials, personal data, or business records.
If Mitigated
Limited impact if proper input validation and database user permissions restrict access to sensitive tables.
🎯 Exploit Status
Exploitation requires attacker to control JSON object keys in application input. Public advisory includes technical details.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.37.8
Vendor Advisory: https://github.com/sequelize/sequelize/security/advisories/GHSA-6457-6jrx-69cr
Restart Required: Yes
Instructions:
1. Update Sequelize dependency in package.json to '^6.37.8'
2. Run 'npm update sequelize' or 'yarn upgrade sequelize'
3. Restart the Node.js application
🔧 Temporary Workarounds
Input Validation
allValidate and sanitize all user inputs that become JSON object keys before passing to Sequelize JSON/JSONB where clauses.
🧯 If You Can't Patch
- Implement strict input validation for all JSON object keys used in database queries.
- Apply database-level access controls to limit application database user permissions to minimum required tables.
🔍 How to Verify
Check if Vulnerable:
Check package.json or run 'npm list sequelize' to see if version is below 6.37.8.Check Version:
npm list sequelize | grep sequelizeVerify Fix Applied:
Confirm Sequelize version is 6.37.8 or higher using 'npm list sequelize' command.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries containing CAST operations with unexpected types
- Database errors related to SQL syntax in JSON path processing
- Unusual database access patterns from application
Network Indicators:
- Increased database query volume from application server
- Unusual data transfer patterns from database
SIEM Query:
source="application_logs" AND ("CAST" OR "::") AND ("JSON" OR "JSONB") AND error