Affected versions of `sequelize` use MySQL's backslash-based escape syntax when connecting to SQLite, despite the fact that SQLite uses PostgreSQL's escape syntax, which can result in a SQL Injection vulnerability.

## Recommendation

Update to version 1.7.0-alpha3 or later.

Affected Packages

npm sequelize

Affected versions: 0 (fixed in 1.7.0)

Related CVEs

CVE-2016-10554

Key Information

GHSA ID

GHSA-x2jc-pwfj-h9p3

Published

February 18, 2019 11:54 PM

Last Modified

August 31, 2020 6:11 PM

CVSS Score

5.0 /10

Primary Ecosystem

npm

Primary Package

sequelize

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 5, 2025 6:26 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.