Affected versions of sequelize
are vulnerable to SQL Injection when user input is passed into findOne
or into a statement such as where: "user input"
.
Update to version 3.0.0 or later.
Version 3.0.0 will introduce a number of breaking changes.
Thankfully, the project authors have provided a 2.x -> 3.x upgrade guide to ease this transition.
If upgrading is not an option, it is also possible to mitigate this by ensuring that all uses of where: "input"
and findOne("input")
are properly sanitized, such as by the use of a wrapper function.