Affected versions of `sequelize` are vulnerable to SQL Injection when user input is passed into `findOne` or into a statement such as `where: "user input"`.

## Recommendation

Update to version 3.0.0 or later.

Version 3.0.0 will introduce a number of breaking changes.
Thankfully, the project authors have provided a 2.x -> 3.x [upgrade guide](https://github.com/sequelize/sequelize/wiki/Upgrade-from-2.0-to-3.0) to ease this transition.

If upgrading is not an option, it is also possible to mitigate this by ensuring that all uses of `where: "input"` and `findOne("input")` are properly sanitized, such as by the use of a wrapper function.

Affected Packages

npm sequelize

Affected versions: 0 (fixed in 3.0.0)

Related CVEs

CVE-2016-10553

Key Information

GHSA ID

GHSA-2v7q-2xqx-f4q5

Published

February 18, 2019 11:54 PM

Last Modified

August 31, 2020 6:11 PM

CVSS Score

7.5 /10

Primary Ecosystem

npm

Primary Package

sequelize

GitHub Reviewed

✓ Yes

Dataset

Last updated: August 30, 2025 6:32 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.