{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-30951", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-07T17:34:39.980Z", "datePublished": "2026-03-10T20:22:46.150Z", "dateUpdated": "2026-03-11T14:40:34.034Z"}, "containers": {"cna": {"title": "Sequelize v6 Vulnerable to SQL Injection via JSON Column Cast Type", "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "lang": "en", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/sequelize/sequelize/security/advisories/GHSA-6457-6jrx-69cr", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/sequelize/sequelize/security/advisories/GHSA-6457-6jrx-69cr"}], "affected": [{"vendor": "sequelize", "product": "sequelize", "versions": [{"version": ">= 6.0.0-beta.1, < 6.37.8", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-11T00:19:12.793Z"}, "descriptions": [{"lang": "en", "value": "Sequelize is a Node.js ORM tool. Prior to 6.37.8, there is SQL injection via unescaped cast type in JSON/JSONB where clause processing. The _traverseJSON() function splits JSON path keys on :: to extract a cast type, which is interpolated raw into CAST(... AS <type>) SQL. An attacker who controls JSON object keys can inject arbitrary SQL and exfiltrate data from any table. This vulnerability is fixed in 6.37.8."}], "source": {"advisory": "GHSA-6457-6jrx-69cr", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-11T14:40:09.586637Z", "id": "CVE-2026-30951", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T14:40:34.034Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "SQL Injection via JSON Column Cast Type in Sequelize v6", "source": {"advisory": "GHSA-6457-6jrx-69cr", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "sequelize", "product": "sequelize", "versions": [{"status": "affected", "version": "< 6.37.8"}]}], "references": [{"url": "https://github.com/sequelize/sequelize/security/advisories/GHSA-6457-6jrx-69cr", "name": "https://github.com/sequelize/sequelize/security/advisories/GHSA-6457-6jrx-69cr", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Sequelize is a Node.js ORM tool. Prior to 6.37.8, there is SQL injection via unescaped cast type in JSON/JSONB where clause processing. The _traverseJSON() function splits JSON path keys on :: to extract a cast type, which is interpolated raw into CAST(... AS <type>) SQL. An attacker who controls JSON object keys can inject arbitrary SQL and exfiltrate data from any table. This vulnerability is fixed in 6.37.8."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-10T20:22:46.150Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-30951", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-11T14:40:09.586637Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-03-11T14:40:29.642Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-30951", "state": "PUBLISHED", "dateUpdated": "2026-03-10T20:22:46.150Z", "dateReserved": "2026-03-07T17:34:39.980Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-10T20:22:46.150Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sequelizejs:sequelize:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "AD0E1D98-A552-4E72-B530-62CC7B1B21B8", "versionEndExcluding": "6.37.8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Sequelize is a Node.js ORM tool. Prior to 6.37.8, there is SQL injection via unescaped cast type in JSON/JSONB where clause processing. The _traverseJSON() function splits JSON path keys on :: to extract a cast type, which is interpolated raw into CAST(... AS <type>) SQL. An attacker who controls JSON object keys can inject arbitrary SQL and exfiltrate data from any table. This vulnerability is fixed in 6.37.8."}, {"lang": "es", "value": "Sequelize es una herramienta ORM para Node.js. Antes de la 6.37.8, existe una inyecci\u00f3n SQL mediante un tipo de conversi\u00f3n (cast) sin escapar en el procesamiento de cl\u00e1usulas WHERE de JSON/JSONB. La funci\u00f3n _traverseJSON() divide las claves de ruta JSON en :: para extraer un tipo de conversi\u00f3n (cast), el cual se interpola directamente en el SQL CAST(... AS ). Un atacante que controla las claves de objetos JSON puede inyectar SQL arbitrario y exfiltrar datos de cualquier tabla. Esta vulnerabilidad est\u00e1 corregida en la versi\u00f3n 6.37.8."}], "id": "CVE-2026-30951", "lastModified": "2026-03-18T19:16:04.997", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-10T21:16:48.030", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/sequelize/sequelize/security/advisories/GHSA-6457-6jrx-69cr"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"bugzilla": {"description": "sequelize: Sequelize: Data exfiltration via SQL injection in JSON/JSONB where clause processing", "id": "2446250", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2446250"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "status": "draft"}, "cwe": "CWE-89", "details": ["No description is available for this CVE."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-30951", "package_state": [{"cpe": "cpe:/a:redhat:confidential_compute_attestation:1", "fix_state": "Affected", "package_name": "openshift-sandboxed-containers/osc-pccs", "product_name": "Confidential Compute Attestation"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "linux-sgx", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "linux-sgx", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Affected", "package_name": "satellite/iop-remediations-rhel9", "product_name": "Red Hat Satellite 6"}], "public_date": "2026-03-10T20:22:46Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-30951\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-30951\nhttps://github.com/sequelize/sequelize/security/advisories/GHSA-6457-6jrx-69cr"], "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[6.0.0-beta.1,6.37.8)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "matching", "scores": [{"score": 95.0, "source": "matching"}]}, "original": {"product": "sequelize", "source": "cna", "vendor": "sequelize"}, "product": "sequelize", "vendor": "sequelizejs"}], "analysis": {"en": {"generated_at": "2026-04-16T03:24:45.680480+00:00", "value": {"mitigation_remediation": ["Upgrade Sequelize to version 6.37.8 or newer.", "Validate or sanitize all JSON object keys to remove the '::' casting syntax before they are passed to Sequelize.", "Review application code to ensure no untrusted JSON input is used directly in where clauses or SQL construction."], "summary": {"action": "Immediate Patch", "impact": "Database Compromise via SQL Injection"}, "threat_synthesis": {"affected_systems": "The affected product is Sequelize, the Node.js ORM, with all versions released prior to 6.37.8. This includes the open\u2011source Sequelize project managed by Sequelizejs:sequelize. Any deployment that relies on these versions for database interactions is at risk.", "description_and_impact": "Sequelize is a Node.js ORM used to interact with relational databases. In versions before 6.37.8, the internal _traverseJSON() function splits JSON path keys on the delimiter '::' to extract a presumed cast type. This type is then interpolated directly into a SQL CAST clause without escaping. An attacker who can control the keys of a JSON object supplied to the ORM can insert arbitrary SQL fragments, enabling execution of unintended statements and exfiltration of data from any table. The vulnerability is an instance of CWE\u201189 as it involves unsanitized input used in SQL generation.", "risk_and_exploitability": "The CVSS base score of 7.5 indicates significant potential impact. The EPSS score is less than 1%, suggesting that exploitation is not common in the wild, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is application\u2011layer input manipulation: an attacker must supply crafted JSON keys that are processed by Sequelize\u2019s where clause logic. Successful exploitation would give the attacker unauthorized database access and the ability to read or modify data, which could directly compromise confidentiality and integrity."}}}}, "created": "2026-03-11T11:42:51.834956+00:00", "updated": "2026-04-16T03:30:06.066486+00:00", "vendors": ["sequelizejs", "sequelizejs$PRODUCT$sequelize"]}