Skip to main content
Skip table of contents

Is Mend vulnerable to the Sequelize SQL Injection vulnerability, CVE-2023-25813?

On February 22, 2023, a new vulnerability was disclosed for the NPM package, Sequelize. CVE-2023-25813 is categorized as CRITICAL, with a CVSS score of 10.0.

Mend is up to date with the CVE details and we encourage our customers to scan any new projects with Mend to identify whether their code is impacted by this vulnerability.

What is CVE-2023-25813?

From the Sequelize Advisory, CVE-2023-25813 is described as:

The SQL injection exploit is related to replacements. Here is an example:

In the following query, some parameters are passed through replacements, and some are passed directly through the where option.

CODE
User.findAll({
  where: or(
    literal('soundex("firstName") = soundex(:firstName)'),
    { lastName: lastName },
  ),
  replacements: { firstName },
})

This is a very legitimate use case, but this query was vulnerable to SQL injection due to how Sequelize processed the query: Sequelize built a first query using the where option, then passed it over to sequelize.query which parsed the resulting SQL to inject all:replacements.

If the user passed values such as

CODE
{
  "firstName": "OR true; DROP TABLE users;",
  "lastName": ":firstName"
}

Sequelize would first generate this query:

CODE
SELECT * FROM users WHERE soundex("firstName") = soundex(:firstName) OR "lastName" = ':firstName'

Then would inject replacements in it, which resulted in this:

CODE
SELECT * FROM users WHERE soundex("firstName") = soundex('OR true; DROP TABLE users;') OR "lastName" = ''OR true; DROP TABLE users;''

As you can see this resulted in arbitrary user-provided SQL being executed.

What components are impacted by CVE-2023-25813?

All Sequelize versions older than v6.19.1 are vulnerable to CVE-2023-25813, exclusively.

What is Mend’s recommended action to fix the CVE-2023-25813 for my own products?

  1. Run an organization-wide inventory report. If you require a multiple organization report or have over 1000 products, we recommend using the Mend Bulk Report Generator tool to streamline report generation

  2. If you have a global organization and are a global admin, you can run asynchronous reports across all of your organizations via the Global Admin console > Account Report Export setting.

  3. Search the inventory report for libraries with instances of the referenced vulnerability to identify impacted applications

  4. Contact relevant teams and alert them to the urgency and fix

  5. Users of affected versions should apply the necessary mitigations or remediations:

    1. Mitigation Recommendations: Advisory: Sequelize GitHub Repository

    2. Remediation Recommendations: Mend Database: CVE-2023-25813

Are Mend offerings vulnerable to CVE-2023-25813?

Mend products are not vulnerable to CVE-2023-25813.

Frequently Asked Questions

Q: Do I need to rescan my projects to detect this vulnerability?

A: No, Mend keeps a current list of vulnerabilities in our index, and alerts are automatically applied to a vulnerability once the index is updated.

Q: How can Mend alert me when a vulnerability of this severity is introduced in my project?

A: If you have policies set up in your organization, Mend will automatically notify you in case you are affected by this vulnerability. To set up a policy within your organization, please review our Policies documentation. If you do not wish to set this up, you can utilize the Security Alerts reports for the CVEs.

Q: How can I tell if this vulnerability is one of my transitive dependencies?

A: Our Inventory report, Security Alerts reports, and the Library Details page all provide documentation for analyzing your inventory’s dependency trees to help you determine your next steps in mitigating this vulnerability. To retrieve the reports mentioned, navigate to the corresponding page in your Mend UI, or use our asynchronous Reports APIs or synchronous APIs.

Related Documentation

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.