CVE-2016-1000225 — SQL Injection via GeoJSON in sequelize

Description

Affected versions of `sequelize` are vulnerable to SQL Injection in Models that have fields with the `GEOMETRY` DataType. This vulnerability occurs because single quotes in document values are not escaped for GeoJSON documents using `ST_GeomFromGeoJSON`, and MySQL GeoJSON documents using `GeomFromText`. ## Recommendation Update to version 3.23.6 or later.

How to fix CVE-2016-1000225

To remediate CVE-2016-1000225, upgrade the affected package to a fixed version below.

npm/sequelize—upgrade to 3.23.6 or later

Is CVE-2016-1000225 being exploited?

No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2016-1000225.

Affected packages (1)

>= 3.4.0, < 3.23.6

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (10)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2016-1000225
PATCHgithub.com/sequelize/sequelize
WEBgithub.com/sequelize/sequelize/commit/14e3deaf3ad27f12900e5275db1d448844c9de3e
WEBgithub.com/sequelize/sequelize/commit/18ac91040d9c57351d26ba998f460e214255b704