CVE-2016-10550 — SQL Injection in sequelize

Description

Affected versions of `sequelize` are vulnerable to SQL Injection in locations where user input is passed into the `limit` or `order` parameters of `sequelize` query calls, such as `findOne` or `findAll`. ## Recommendation Update to version 3.17.0 or later.

How to fix CVE-2016-10550

To remediate CVE-2016-10550, upgrade the affected package to a fixed version below.

npm/sequelize—upgrade to 3.17.0 or later

Is CVE-2016-10550 being exploited?

Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 3.17.0

References (4)

ADVISORYgithub.com/advisories/GHSA-98pq-pmw9-4gpm
ADVISORYnvd.nist.gov/vuln/detail/CVE-2016-10550
WEBgithub.com/sequelize/sequelize/pull/5167/commits/f282d85e60e3df5e57ecdb82adccb4eaef404f03
WEBwww.npmjs.com/advisories/112