CVE-2026-30951

Опубликовано: 10 мар. 2026

Источник: nvd

CVSS3: 7.5

EPSS Низкий

Описание

Sequelize is a Node.js ORM tool. Prior to 6.37.8, there is SQL injection via unescaped cast type in JSON/JSONB where clause processing. The _traverseJSON() function splits JSON path keys on :: to extract a cast type, which is interpolated raw into CAST(... AS ) SQL. An attacker who controls JSON object keys can inject arbitrary SQL and exfiltrate data from any table. This vulnerability is fixed in 6.37.8.

Ссылки

https://github.com/sequelize/sequelize/security/advisories/GHSA-6457-6jrx-69cr
Exploit
Mitigation
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:sequelizejs:sequelize:*:*:*:*:*:node.js:*:*

Версия до 6.37.8 (исключая)

EPSS

Процентиль: 13%

0.00044

Низкий

7.5 High

CVSS3

Дефекты

CWE-89

Связанные уязвимости

CVE-2026-30951

CVSS3: 7.5

redhat

17 дней назад

A flaw was found in Sequelize, a Node.js Object-Relational Mapper (ORM) tool. A remote attacker can exploit a SQL injection vulnerability by manipulating JSON object keys during JSON/JSONB where clause processing. This allows for the injection of arbitrary SQL commands due to the improper handling of cast types. The primary consequence is the potential for unauthorized data exfiltration from any database table.

GHSA-6457-6jrx-69cr

CVSS3: 7.5

github

17 дней назад

Sequelize v6 Vulnerable to SQL Injection via JSON Column Cast Type

EPSS

Процентиль: 13%

0.00044

Низкий

7.5 High

CVSS3

Дефекты

CWE-89