{"id":"GHSA-2598-2f59-rmhq","summary":"SQL Injection in sequelize","details":"Versions of `sequelize` prior to 3.35.1 are vulnerable to SQL Injection. The package fails to sanitize JSON path keys in the Postgres dialect,  which may allow attackers to inject SQL statements and execute arbitrary SQL queries.\n\n\n## Recommendation\n\nUpgrade to version 3.35.1 or later.","aliases":["CVE-2019-10749"],"modified":"2026-03-13T21:56:54.286457Z","published":"2019-11-08T17:05:17Z","database_specific":{"nvd_published_at":null,"cwe_ids":["CWE-89"],"github_reviewed_at":"2019-11-07T23:29:06Z","github_reviewed":true,"severity":"CRITICAL"},"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2019-10749"},{"type":"WEB","url":"https://github.com/sequelize/sequelize/commit/ee4017379db0059566ecb5424274ad4e2d66bc68"},{"type":"WEB","url":"https://snyk.io/vuln/SNYK-JS-SEQUELIZE-450222"},{"type":"WEB","url":"https://www.npmjs.com/advisories/1017"}],"affected":[{"package":{"name":"sequelize","ecosystem":"npm","purl":"pkg:npm/sequelize"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"3.35.1"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/11/GHSA-2598-2f59-rmhq/GHSA-2598-2f59-rmhq.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}