CVE-2026-30951

Sequelize is a Node.js ORM tool. Prior to 6.37.8, there is SQL injection via unescaped cast type in JSON/JSONB where clause processing. The _traverseJSON() function splits JSON path keys on :: to extract a cast type, which is interpolated raw into CAST(... AS <type>) SQL. An attacker who controls JSON object keys can inject arbitrary SQL and exfiltrate data from any table. This vulnerability is fixed in 6.37.8.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/sequelize/sequelize/security/advisories/GHSA-6457-6jrx-69cr	Exploit Mitigation Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:sequelizejs:sequelize:*:*:*:*:*:node.js:*:*

History

18 Mar 2026, 19:16

Type	Values Removed	Values Added
References	~~() https://github.com/sequelize/sequelize/security/advisories/GHSA-6457-6jrx-69cr -~~	() https://github.com/sequelize/sequelize/security/advisories/GHSA-6457-6jrx-69cr - Exploit, Mitigation, Vendor Advisory
First Time		Sequelizejs Sequelizejs sequelize
CPE		cpe:2.3:a:sequelizejs:sequelize::::::node.js::*

11 Mar 2026, 13:52

Type	Values Removed	Values Added
Summary		(es) Sequelize es una herramienta ORM para Node.js. Antes de la 6.37.8, existe una inyección SQL mediante un tipo de conversión (cast) sin escapar en el procesamiento de cláusulas WHERE de JSON/JSONB. La función _traverseJSON() divide las claves de ruta JSON en :: para extraer un tipo de conversión (cast), el cual se interpola directamente en el SQL CAST(... AS ). Un atacante que controla las claves de objetos JSON puede inyectar SQL arbitrario y exfiltrar datos de cualquier tabla. Esta vulnerabilidad está corregida en la versión 6.37.8.

10 Mar 2026, 21:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-10 21:16

Updated : 2026-03-18 19:16

NVD link : CVE-2026-30951

Mitre link : CVE-2026-30951

CVE.ORG link : CVE-2026-30951

JSON object : View

Products Affected

sequelizejs

sequelize

CWE

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

{"id": "CVE-2026-30951", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2026-03-10T21:16:48.030", "references": [{"url": "https://github.com/sequelize/sequelize/security/advisories/GHSA-6457-6jrx-69cr", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-89"}]}], "descriptions": [{"lang": "en", "value": "Sequelize is a Node.js ORM tool. Prior to 6.37.8, there is SQL injection via unescaped cast type in JSON/JSONB where clause processing. The _traverseJSON() function splits JSON path keys on :: to extract a cast type, which is interpolated raw into CAST(... AS <type>) SQL. An attacker who controls JSON object keys can inject arbitrary SQL and exfiltrate data from any table. This vulnerability is fixed in 6.37.8."}, {"lang": "es", "value": "Sequelize es una herramienta ORM para Node.js. Antes de la 6.37.8, existe una inyecci\u00f3n SQL mediante un tipo de conversi\u00f3n (cast) sin escapar en el procesamiento de cl\u00e1usulas WHERE de JSON/JSONB. La funci\u00f3n _traverseJSON() divide las claves de ruta JSON en :: para extraer un tipo de conversi\u00f3n (cast), el cual se interpola directamente en el SQL CAST(... AS ). Un atacante que controla las claves de objetos JSON puede inyectar SQL arbitrario y exfiltrar datos de cualquier tabla. Esta vulnerabilidad est\u00e1 corregida en la versi\u00f3n 6.37.8."}], "lastModified": "2026-03-18T19:16:04.997", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:sequelizejs:sequelize:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "AD0E1D98-A552-4E72-B530-62CC7B1B21B8", "versionEndExcluding": "6.37.8"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}