Skip to content

[Aikido] Fix security issue in sequelize via minor version upgrade from 6.2.2 to 6.37.8 in server#33

Open
aikido-autofix[bot] wants to merge 1 commit into
masterfrom
fix/aikido-security-KAN-2670update-packages-31432691-v9g4
Open

[Aikido] Fix security issue in sequelize via minor version upgrade from 6.2.2 to 6.37.8 in server#33
aikido-autofix[bot] wants to merge 1 commit into
masterfrom
fix/aikido-security-KAN-2670update-packages-31432691-v9g4

Conversation

@aikido-autofix

@aikido-autofix aikido-autofix Bot commented May 7, 2026

Copy link
Copy Markdown

Upgrade Sequelize to fix SQL injection vulnerability in JSON/JSONB WHERE clause processing that allows arbitrary SQL execution and data exfiltration.

✅ There are no breaking changes

✅ 1 CVE resolved by this upgrade

This PR will resolve the following CVEs:

Issue Severity           Description
CVE-2026-30951
HIGH
[sequelize] SQL injection vulnerability in JSON/JSONB where clause processing allows attackers to inject arbitrary SQL through unescaped cast types in JSON path keys, enabling data exfiltration from any table. The _traverseJSON() function fails to properly escape cast types before interpolating them into CAST SQL statements.
🔗 Related Tasks

@aikido-autofix aikido-autofix Bot added bug Something isn't working documentation Improvements or additions to documentation labels May 7, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

bug Something isn't working documentation Improvements or additions to documentation

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants