GMS-2019-139: NoSQL Injection in sequelize

June 4, 2019 (updated August 4, 2021)

Versions of sequelize prior to 4.12.0 are vulnerable to NoSQL Injection. Query operators such as $gt are not properly sanitized and may allow an attacker to alter data queries, leading to NoSQL Injection.

Recommendation

Upgrade to version 4.12.0 or later

References

github.com/advisories/GHSA-wfp9-vr4j-f49j
github.com/sequelize/sequelize/issues/7310
snyk.io/vuln/SNYK-JS-SEQUELIZE-174147
www.npmjs.com/advisories/820
www.npmjs.com/advisories/820/versions

Detect and mitigate GMS-2019-139 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →