CVE-2016-10554 — SQL Injection in sequelize

Description

Affected versions of `sequelize` use MySQL's backslash-based escape syntax when connecting to SQLite, despite the fact that SQLite uses PostgreSQL's escape syntax, which can result in a SQL Injection vulnerability. ## Recommendation Update to version 1.7.0-alpha3 or later.

How to fix CVE-2016-10554

To remediate CVE-2016-10554, upgrade the affected package to a fixed version below.

npm/sequelize—upgrade to 1.7.0 or later

Is CVE-2016-10554 being exploited?

Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 1.7.0

References (4)

ADVISORYgithub.com/advisories/GHSA-x2jc-pwfj-h9p3
ADVISORYnvd.nist.gov/vuln/detail/CVE-2016-10554
WEBgithub.com/sequelize/sequelize/commit/c876192aa6ce1f67e22b26a4d175b8478615f42d
WEBwww.npmjs.com/advisories/113