CVE-2019-10752

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2019-10752

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-10752.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2019-10752

Aliases

GHSA-m9jw-237r-gvfv

Related

SNYK-JS-SEQUELIZE-459751
SNYK-JS-SEQUELIZE-459751,

Published

2019-10-17T19:15:10.420Z

Modified

2026-04-10T04:13:06.840794Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

Sequelize, all versions prior to version 4.44.3 and 5.15.1, is vulnerable to SQL Injection due to sequelize.json() helper function not escaping values properly when formatting sub paths for JSON queries for MySQL, MariaDB and SQLite.

References

Affected packages

Git / github.com/sequelize/sequelize

Affected ranges

Type

GIT

Repo

https://github.com/sequelize/sequelize

Events

Introduced

d960cf152880e8da1e5f3054ea7608a8207d2468

Fixed

efd2f40620107cef01e56856457ba1b607af79f5

Introduced

Fixed

9bd0bc111b6f502223edf7e902680f7cc2ed541e

Database specific

{
    "versions": [
        {
            "introduced": "4.0.0"
        },
        {
            "fixed": "4.44.3"
        },
        {
            "introduced": "5.0.0"
        },
        {
            "fixed": "5.15.1"
        }
    ]
}

Affected versions

v4.*

v4.0.0

v4.1.0

v4.10.0

v4.10.1

v4.10.2

v4.10.3

v4.11.0

v4.11.1

v4.11.2

v4.11.3

v4.11.4

v4.11.5

v4.11.6

v4.11.7

v4.12.0

v4.13.0

v4.13.1

v4.13.10

v4.13.11

v4.13.12

v4.13.13

v4.13.14

v4.13.15

v4.13.16

v4.13.17

v4.13.2

v4.13.3

v4.13.4

v4.13.5

v4.13.6

v4.13.7

v4.13.8

v4.13.9

v4.14.0

v4.15.0

v4.15.1

v4.15.2

v4.16.0

v4.16.1

v4.16.2

v4.17.0

v4.17.1

v4.17.2

v4.18.0

v4.19.0

v4.2.0

v4.2.1

v4.20.0

v4.20.1

v4.20.2

v4.20.3

v4.21.0

v4.22.0

v4.22.1

v4.22.10

v4.22.11

v4.22.12

v4.22.13

v4.22.14

v4.22.15

v4.22.16

v4.22.2

v4.22.3

v4.22.4

v4.22.5

v4.22.6

v4.22.7

v4.22.8

v4.22.9

v4.23.0

v4.23.1

v4.23.2

v4.23.3

v4.23.4

v4.24.0

v4.25.0

v4.25.1

v4.25.2

v4.26.0

v4.27.0

v4.28.0

v4.28.1

v4.28.2

v4.28.3

v4.28.4

v4.28.5

v4.28.6

v4.28.7

v4.28.8

v4.29.0

v4.29.1

v4.29.2

v4.29.3

v4.3.0

v4.3.1

v4.3.2

v4.30.0

v4.30.1

v4.30.2

v4.31.0

v4.31.1

v4.31.2

v4.32.0

v4.32.1

v4.32.2

v4.32.3

v4.32.4

v4.32.5

v4.32.6

v4.32.7

v4.33.0

v4.33.1

v4.33.2

v4.33.3

v4.33.4

v4.34.0

v4.34.1

v4.35.0

v4.35.1

v4.35.2

v4.35.3

v4.35.4

v4.35.5

v4.36.0

v4.36.1

v4.37.0

v4.37.1

v4.37.10

v4.37.2

v4.37.3

v4.37.4

v4.37.5

v4.37.6

v4.37.7

v4.37.8

v4.37.9

v4.38.0

v4.38.1

v4.39.0

v4.39.1

v4.4.0

v4.4.1

v4.4.10

v4.4.2

v4.4.4

v4.4.5

v4.4.6

v4.4.7

v4.4.8

v4.4.9

v4.40.0

v4.41.0

v4.41.1

v4.41.2

v4.42.0

v4.42.1

v4.43.0

v4.43.1

v4.43.2

v4.44.0

v4.44.1

v4.44.2

v4.5.0

v4.6.0

v4.7.0

v4.7.1

v4.7.2

v4.7.3

v4.7.4

v4.7.5

v4.8.0

v4.8.1

v4.8.2

v4.8.3

v4.8.4

v4.9.0

v5.*

v5.0.0-beta

v5.0.0-beta.1

v5.0.0-beta.10

v5.0.0-beta.11

v5.0.0-beta.12

v5.0.0-beta.13

v5.0.0-beta.14

v5.0.0-beta.15

v5.0.0-beta.16

v5.0.0-beta.17

v5.0.0-beta.2

v5.0.0-beta.3

v5.0.0-beta.4

v5.0.0-beta.5

v5.0.0-beta.6

v5.0.0-beta.7

v5.0.0-beta.8

v5.0.0-beta.9

v5.1.0

v5.1.1

v5.10.0

v5.10.1

v5.10.2

v5.10.3

v5.11.0

v5.12.0

v5.12.1

v5.12.2

v5.12.3

v5.13.0

v5.13.1

v5.14.0

v5.15.0

v5.2.0

v5.2.1

v5.2.10

v5.2.11

v5.2.12

v5.2.13

v5.2.14

v5.2.15

v5.2.2

v5.2.3

v5.2.4

v5.2.5

v5.2.6

v5.2.7

v5.2.8

v5.2.9

v5.3.0

v5.3.1

v5.3.2

v5.3.3

v5.3.4

v5.3.5

v5.4.0

v5.5.0

v5.5.1

v5.6.0

v5.6.1

v5.7.0

v5.7.1

v5.7.2

v5.7.3

v5.7.4

v5.7.5

v5.7.6

v5.8.0

v5.8.1

v5.8.10

v5.8.11

v5.8.12

v5.8.2

v5.8.3

v5.8.4

v5.8.5

v5.8.6

v5.8.7

v5.8.8

v5.8.9

v5.9.0

v5.9.1

v5.9.2

v5.9.3

v5.9.4

v5.9.5

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-10752.json"