Unsafe fall-through in getWhereConditions
Critical severity
GitHub Reviewed
Published
Feb 21, 2023
in
sequelize/sequelize
•
Updated Feb 23, 2023
Description
Published to the GitHub Advisory Database
Feb 23, 2023
Reviewed
Feb 23, 2023
Last updated
Feb 23, 2023
Impact
Providing an invalid value to the
where
option of a query caused Sequelize to ignore that option instead of throwing an error.A finder call like the following did not throw an error:
As this option is typically used with plain javascript objects, be aware that this only happens at the top level of this option.
Patches
This issue has been patched in
[email protected]
&@sequelize/[email protected]
References
A discussion thread about this issue is open at sequelize/sequelize#15698
CVE: CVE-2023-22579
Snyk: https://security.snyk.io/vuln/SNYK-JS-SEQUELIZE-3324090
References