CVE-2023-22578
Sequelize - Default support for “raw attributes” when using parentheses
Description
### Impact Sequelize 6.28.2 and prior has a dangerous feature where using parentheses in the attribute option would make Sequelize use the string as-is in the SQL ```ts User.findAll({ attributes: [ ['count(id)', 'count'] ] }); ``` Produced ```sql SELECT count(id) AS "count" FROM "users" ``` ### Patches This feature was deprecated in Sequelize 5, and using it prints a deprecation warning. This issue has been patched in [`@sequelize/core@7.0.0.alpha-20`](https://github.com/sequelize/sequelize/pull/15374) and [`sequelize@6.29.0`](https://github.com/sequelize/sequelize/pull/15710). In Sequelize 7, it now produces the following: ```sql SELECT "count(id)" AS "count" FROM "users" ``` In Sequelize 6, it throws an error explaining that we had to introduce a breaking change, and requires the user to explicitly opt-in to either the Sequelize 7 behavior (always escape) or the Sequelize 5 behavior (inline attributes that include `()` without escaping). See https://github.com/sequelize/sequelize/pull/15710 for more information. ### Mitigations Do not use user-provided content to build your list or attributes. If you do, make sure that attribute in question actually exists on your model by checking that it exists in the `rawAttributes` property of your model first. --- A discussion thread about this issue is open at https://github.com/sequelize/sequelize/discussions/15694 CVE: CVE-2023-22578
How to fix CVE-2023-22578
To remediate CVE-2023-22578, upgrade the affected package to a fixed version below.
- —upgrade to 6.29.0 or later
- —upgrade to 7.0.0-alpha.20 or later
Is CVE-2023-22578 being exploited?
Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0, < 6.29.0