Affected versions of `sequelize` are vulnerable to SQL Injection in locations where user input is passed into the `limit` or `order` parameters of `sequelize` query calls, such as `findOne` or `findAll`.

## Recommendation

Update to version 3.17.0 or later.

Affected Packages

npm sequelize

Affected versions: 0 (fixed in 3.17.0)

Related CVEs

CVE-2016-10550

Key Information

GHSA ID

GHSA-98pq-pmw9-4gpm

Published

February 18, 2019 11:54 PM

Last Modified

August 31, 2020 6:11 PM

CVSS Score

7.5 /10

Primary Ecosystem

npm

Primary Package

sequelize

GitHub Reviewed

✓ Yes

Dataset

Last updated: August 30, 2025 6:32 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.