Cyber Resilience

CVE-2023-25813

CriticalPublic PoC

Published: 22 February 2023

Published
22 February 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0352 87.9th percentile
Risk Priority 22 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-25813 is a critical-severity SQL Injection (CWE-89) vulnerability in Sequelizejs Sequelize. Its CVSS base score is 10.0 (Critical).

Operationally, ranked in the top 12.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

Sequelize, a Node.js object-relational mapping library, contains a SQL injection vulnerability in all versions prior to 6.19.1. The flaw arises because parameters supplied through the replacements mechanism are not properly escaped before being incorporated into queries, allowing arbitrary SQL injection when replacements are used together with the where option.

An unauthenticated remote attacker can supply crafted replacement values in application queries that reach the database layer, resulting in full read, write, or modification of database contents depending on the affected queries and database privileges. The issue carries a CVSS score of 10.0 and is tracked under CWE-89.

Official advisories and the 6.19.1 release notes direct users to upgrade immediately. Where an upgrade is not feasible, applications must avoid combining the replacements feature with the where clause in the same query. The associated EPSS score remains low, with a modest peak of 0.0508 recorded well after disclosure.

EU & UK References

Vulnerability details

Sequelize is a Node.js ORM tool. In versions prior to 6.19.1 a SQL injection exploit exists related to replacements. Parameters which are passed through replacements are not properly escaped which can lead to arbitrary SQL injection depending on the specific…

more

queries in use. The issue has been fixed in Sequelize 6.19.1. Users are advised to upgrade. Users unable to upgrade should not use the `replacements` and the `where` option in the same query.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

sequelizejs
sequelize
≤ 6.19.1

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-89

Penetration testing uses SQL injection payloads against database interfaces, identifying and supporting fixes for SQL injection weaknesses.

addresses: CWE-89

Validates query inputs to prevent SQL syntax or command manipulation.

References