Versions of sequelize prior to 4.44.4 are vulnerable to Denial of Service (DoS). The SQLite dialect fails to catch a TypeError exception for the results variable. The results value may be undefined and trigger the error on a .map call. This may allow attackers to submit malicious input that forces the exception and crashes the Node process.
The following proof-of-concept crashes the Node process:
This PR contains the following updates:
4.43.0
->4.44.4
GitHub Vulnerability Alerts
GHSA-fw4p-36j9-rrj3
Versions of
sequelize
prior to 4.44.4 are vulnerable to Denial of Service (DoS). The SQLite dialect fails to catch aTypeError
exception for theresults
variable. Theresults
value may be undefined and trigger the error on a.map
call. This may allow attackers to submit malicious input that forces the exception and crashes the Node process.The following proof-of-concept crashes the Node process:
Recommendation
Upgrade to version 4.44.4 or later.
Release Notes
sequelize/sequelize (sequelize)
### [`v4.44.4`](https://togithub.com/sequelize/sequelize/releases/tag/v4.44.4) [Compare Source](https://togithub.com/sequelize/sequelize/compare/v4.44.3...v4.44.4) ##### Bug Fixes - **sqlite:** properly catch errors ([#11877](https://togithub.com/sequelize/sequelize/issues/11877)) ([8931bf6](https://togithub.com/sequelize/sequelize/commit/8931bf6c567b4cb3b35de8993cf74c82008b4275)) ### [`v4.44.3`](https://togithub.com/sequelize/sequelize/releases/tag/v4.44.3) [Compare Source](https://togithub.com/sequelize/sequelize/compare/v4.44.2...v4.44.3) ##### Security This release fixes two security issues for MySQL, both affecting same component. https://snyk.io/vuln/SNYK-JS-SEQUELIZE-450221 - **mysql:** json path security issues ([#11332](https://togithub.com/sequelize/sequelize/issues/11332)) ([efd2f40](https://togithub.com/sequelize/sequelize/commit/efd2f40)) ### [`v4.44.2`](https://togithub.com/sequelize/sequelize/releases/tag/v4.44.2) [Compare Source](https://togithub.com/sequelize/sequelize/compare/v4.44.1...v4.44.2) ##### Bug Fixes - use files and remove .npmignore ([6674a3c](https://togithub.com/sequelize/sequelize/commit/6674a3c)) ### [`v4.44.1`](https://togithub.com/sequelize/sequelize/releases/tag/v4.44.1) [Compare Source](https://togithub.com/sequelize/sequelize/compare/v4.44.0...v4.44.1) ##### Bug Fixes - **pool:** destroy pooled errors properly with replication ([#11140](https://togithub.com/sequelize/sequelize/issues/11140)) ([a1ccf04](https://togithub.com/sequelize/sequelize/commit/a1ccf04)) ### [`v4.44.0`](https://togithub.com/sequelize/sequelize/releases/tag/v4.44.0) [Compare Source](https://togithub.com/sequelize/sequelize/compare/v4.43.2...v4.44.0) ##### Bug Fixes - **redshift:** allow standard_conforming_strings option ([#10816](https://togithub.com/sequelize/sequelize/issues/10816)) ([a32263f](https://togithub.com/sequelize/sequelize/commit/a32263f)) ##### Features - **postgres:** enable standard conforming strings when required ([#10746](https://togithub.com/sequelize/sequelize/issues/10746)) ([c9d3a97](https://togithub.com/sequelize/sequelize/commit/c9d3a97)) ### [`v4.43.2`](https://togithub.com/sequelize/sequelize/releases/tag/v4.43.2) [Compare Source](https://togithub.com/sequelize/sequelize/compare/v4.43.1...v4.43.2) ##### Bug Fixes - **mssql:** subquery handling for order ([#10769](https://togithub.com/sequelize/sequelize/issues/10769)) ([73d7a65](https://togithub.com/sequelize/sequelize/commit/73d7a65)) ### [`v4.43.1`](https://togithub.com/sequelize/sequelize/releases/tag/v4.43.1) [Compare Source](https://togithub.com/sequelize/sequelize/compare/v4.43.0...v4.43.1) ##### Bug Fixes - **mysql:** boolean TINYINT support ([#10660](https://togithub.com/sequelize/sequelize/issues/10660)) ([2f92e21](https://togithub.com/sequelize/sequelize/commit/2f92e21))Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.