top of page
perceptive_background_267k.jpg

Sequelize is a Node.js ORM tool. Prior to 6.37.8, there is SQL injection via unescaped cast type in JSON/JSONB where clause processing. The _traverseJSON() func…

Published:

9 maart 2026 om 23:00:00

Alert date:

10 maart 2026 om 22:05:14

Source:

nvd.nist.gov

Click to open the original link from this advisory

Web Technologies, Supply Chain & Dependencies, Database & Storage

Sequelize Node.js ORM tool contains a SQL injection vulnerability in versions prior to 6.37.8. The vulnerability exists in JSON/JSONB where clause processing where the _traverseJSON() function improperly handles cast types. Attackers who control JSON object keys can inject arbitrary SQL through unescaped cast types in CAST() operations. This allows data exfiltration from any table in the database. The issue is fixed in version 6.37.8.

Technical details

Mitigation steps:

Affected products:

Sequelize

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2026-30951
https://github.com/sequelize/sequelize/security/advisories/GHSA-6457-6jrx-69cr

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page