sequelize (npm) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the npm package sequelize, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (14)
CVE-2023-25813 — CVSS 10.0 (critical): Sequelize is a Node.js ORM tool. In versions prior to 6.19.1 a SQL injection exploit exists related to replacements. Parameters which are…
CVE-2019-10748 — CVSS 9.8 (critical): Sequelize all versions prior to 3.35.1, 4.44.3, and 5.8.11 are vulnerable to SQL Injection due to JSON path keys not being properly escaped…
CVE-2019-10749 — CVSS 9.8 (critical): sequelize before version 3.35.1 allows attackers to perform a SQL Injection due to the JSON path keys not being properly sanitized in the…
CVE-2019-10752 — CVSS 9.8 (critical): Sequelize, all versions prior to version 4.44.3 and 5.15.1, is vulnerable to SQL Injection due to sequelize.json() helper function not…
CVE-2016-10553 — CVSS 9.8 (critical): sequelize is an Object-relational mapping, or a middleman to convert things from Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server…
CVE-2016-10554 — CVSS 9.8 (critical): sequelize is an Object-relational mapping, or a middleman to convert things from Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server…
CVE-2016-10550 — CVSS 9.8 (critical): sequelize is an Object-relational mapping, or a middleman to convert things from Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server…
CVE-2026-30951 — CVSS 7.5 (high): Sequelize is a Node.js ORM tool. Prior to 6.37.8, there is SQL injection via unescaped cast type in JSON/JSONB where clause processing. The…
CVE-2016-10556 — CVSS 7.5 (high): sequelize is an Object-relational mapping, or a middleman to convert things from Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server…
CVE-2019-11069 — CVSS 7.5 (high): Sequelize version 5 before 5.3.0 does not properly ensure that standard conforming strings are used.
CVE-2015-1369 — CVSS 7.5 (high): SQL injection vulnerability in Sequelize before 2.0.0-rc7 for Node.js allows remote attackers to execute arbitrary SQL commands via the…
CVE-2023-22580 — CVSS 5.3 (medium): Due to improper input filtering in the sequalize js library, can malicious queries lead to sensitive information disclosure.