CVE-2023-25813
Published: 22 February 2023
Summary
CVE-2023-25813 is a critical-severity SQL Injection (CWE-89) vulnerability in Sequelizejs Sequelize. Its CVSS base score is 10.0 (Critical).
Operationally, ranked in the top 12.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
Sequelize, a Node.js object-relational mapping library, contains a SQL injection vulnerability in all versions prior to 6.19.1. The flaw arises because parameters supplied through the replacements mechanism are not properly escaped before being incorporated into queries, allowing arbitrary SQL injection when replacements are used together with the where option.
An unauthenticated remote attacker can supply crafted replacement values in application queries that reach the database layer, resulting in full read, write, or modification of database contents depending on the affected queries and database privileges. The issue carries a CVSS score of 10.0 and is tracked under CWE-89.
Official advisories and the 6.19.1 release notes direct users to upgrade immediately. Where an upgrade is not feasible, applications must avoid combining the replacements feature with the where clause in the same query. The associated EPSS score remains low, with a modest peak of 0.0508 recorded well after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-0814
Vulnerability details
Sequelize is a Node.js ORM tool. In versions prior to 6.19.1 a SQL injection exploit exists related to replacements. Parameters which are passed through replacements are not properly escaped which can lead to arbitrary SQL injection depending on the specific…
more
queries in use. The issue has been fixed in Sequelize 6.19.1. Users are advised to upgrade. Users unable to upgrade should not use the `replacements` and the `where` option in the same query.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.