Sequelize (Node.js) – Support, CVEs & Health

Security

Known Vulnerabilities

10 active CVEs reported via OSV.dev

GHSA-2598-2f59-rmhq CVSS_V3

SQL Injection in sequelize

Published: 2019-11-08 Fixed in: 3.35.1

GHSA-2777-2vq8-c4v4 CVSS_V3

SQL Injection in sequelize

Published: 2019-04-11 Fixed in: 5.3.0

GHSA-2v7q-2xqx-f4q5 Unknown

Potential SQL Injection in sequelize

Published: 2019-02-18 Fixed in: 3.0.0

GHSA-5v9h-q3gj-c32x CVSS_V3

SQL Injection via GeoJSON in sequelize

Published: 2020-09-01 Fixed in: 3.23.6

GHSA-6457-6jrx-69cr CVSS_V3

Sequelize v6 Vulnerable to SQL Injection via JSON Column Cast Type

Published: 2026-03-11 Fixed in: 6.37.8

GHSA-8c25-f3mj-v6h8 CVSS_V3

Sequelize information disclosure vulnerability

Published: 2023-02-16 Fixed in: 6.28.1

GHSA-98pq-pmw9-4gpm Unknown

SQL Injection in sequelize

Published: 2019-02-18 Fixed in: 3.17.0

GHSA-9c2p-jw8p-f84v CVSS_V3

SQL Injection in sequelize

Published: 2019-02-18 Fixed in: 3.20.0

GHSA-f598-mfpv-gmfx CVSS_V3

Sequelize - Default support for “raw attributes” when using parentheses

Published: 2023-02-24 Fixed in: 7.0.0-alpha.20

GHSA-fw4p-36j9-rrj3 Unknown

Denial of Service in sequelize

Published: 2020-09-03 Fixed in: 4.44.4