CVE-2019-10752 in Sequelize
Summary
by MITRE
Sequelize, all versions prior to version 4.44.3 and 5.15.1, is vulnerable to SQL Injection due to sequelize.json() helper function not escaping values properly when formatting sub paths for JSON queries for MySQL, MariaDB and SQLite.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 01/16/2024
Sequelize represents a popular javascript object-relational mapping library that simplifies database interactions for node.js applications by providing a high-level abstraction layer over various sql databases including mysql mariadb and sqlite. The vulnerability identified as CVE-2019-10752 affects all versions prior to 4.44.3 and 5.15.1 of this widely-used library and specifically targets the sequelize.json() helper function which is designed to facilitate json data querying operations within these database systems. This flaw manifests in a critical sql injection vulnerability that occurs when the library fails to properly escape values during the formatting of sub paths for json queries, creating an exploitable condition that allows malicious actors to inject arbitrary sql commands into database operations.
The technical implementation of this vulnerability stems from improper input sanitization within the sequelize.json() function when processing json data structures for mysql mariadb and sqlite databases. When developers utilize this helper function to construct json queries, the library does not adequately escape special characters or sql metacharacters present in the json path values, particularly when dealing with nested json structures or complex sub paths. This inadequate escaping mechanism enables attackers to inject malicious sql fragments that get executed within the database context, potentially allowing full database compromise including data exfiltration unauthorized data modification or complete system takeover depending on the database user privileges.
The operational impact of this vulnerability extends far beyond simple data corruption as it affects the fundamental security model of applications using sequelize for database operations. Any application that employs the sequelize.json() function for json data handling becomes immediately vulnerable to sql injection attacks, regardless of whether the application itself implements proper input validation or sanitization measures. This vulnerability is particularly dangerous because it operates at the library level rather than the application level, meaning that even well-secured applications using proper coding practices can become compromised if they rely on vulnerable versions of sequelize. The attack surface includes any json query operations involving database fields that contain json data types, making this a widespread concern across numerous node.js applications that utilize json data storage and querying features.
Organizations using vulnerable versions of sequelize should immediately implement remediation measures including upgrading to versions 4.44.3 or 5.15.1 where the json escaping issue has been resolved. Additionally administrators should conduct comprehensive vulnerability assessments of their application environments to identify any instances where the affected function may be in use, particularly focusing on applications that handle user-provided json data or perform complex json queries. The vulnerability maps directly to CWE-89 sql injection and aligns with ATT&CK technique T1071.004 application layer protocol encryption evasion through database manipulation. Security teams should also consider implementing web application firewalls and input validation layers as defensive measures while the primary upgrade occurs, as this vulnerability can be exploited remotely without requiring authentication or specialized privileges. The fix implemented in the patched versions ensures proper escaping of json path components and maintains the integrity of sql query construction while preserving the intended functionality of the json helper function for legitimate use cases.