Sequelize SQL Injection Vulnerability in JSON/JSONB Where Clause Processing

A SQL injection vulnerability has been identified in Sequelize, a Node.js ORM, in versions through 6.37.7. The issue arises from unescaped cast types in JSON/JSONB 'where' clause processing. The vulnerability allows an attacker to inject arbitrary SQL and exfiltrate data from any table by manipulating JSON object keys. The flaw is rooted in the '_traverseJSON()' function, which improperly handles cast types by interpolating them directly into SQL without validation. This vulnerability is present in all Sequelize dialects that support JSON, including SQLite, PostgreSQL, MySQL, and MariaDB.

Impact

Exploitation of this vulnerability allows for SQL injection, enabling attackers to manipulate SQL queries and exfiltrate data from any table in the database. This could be achieved through UNION-based or boolean-blind injection techniques.

Reproduction

To reproduce this vulnerability, create a Sequelize model with a JSON column. Then, send a request that includes a 'where' clause filtering based on the JSON metadata. The injection can be tested by exploiting the JSON path casting feature to inject SQL payloads, such as bypassing 'where' clause conditions or using UNION-based injection to exfiltrate data from other tables.

Remediation

Users are advised to update Sequelize to version 6.37.8 or later, where this vulnerability has been patched.