{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-30951", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-07T17:34:39.980Z", "datePublished": "2026-03-10T20:22:46.150Z", "dateUpdated": "2026-03-11T00:19:12.793Z"}, "containers": {"cna": {"title": "Sequelize v6 Vulnerable to SQL Injection via JSON Column Cast Type", "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "lang": "en", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/sequelize/sequelize/security/advisories/GHSA-6457-6jrx-69cr", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/sequelize/sequelize/security/advisories/GHSA-6457-6jrx-69cr"}], "affected": [{"vendor": "sequelize", "product": "sequelize", "versions": [{"version": ">= 6.0.0-beta.1, < 6.37.8", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-11T00:19:12.793Z"}, "descriptions": [{"lang": "en", "value": "Sequelize is a Node.js ORM tool. Prior to 6.37.8, there is SQL injection via unescaped cast type in JSON/JSONB where clause processing. The _traverseJSON() function splits JSON path keys on :: to extract a cast type, which is interpolated raw into CAST(... AS <type>) SQL. An attacker who controls JSON object keys can inject arbitrary SQL and exfiltrate data from any table. This vulnerability is fixed in 6.37.8."}], "source": {"advisory": "GHSA-6457-6jrx-69cr", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Sequelize is a Node.js ORM tool. Prior to 6.37.8, there is SQL injection via unescaped cast type in JSON/JSONB where clause processing. The _traverseJSON() function splits JSON path keys on :: to extract a cast type, which is interpolated raw into CAST(... AS <type>) SQL. An attacker who controls JSON object keys can inject arbitrary SQL and exfiltrate data from any table. This vulnerability is fixed in 6.37.8."}], "id": "CVE-2026-30951", "lastModified": "2026-03-10T21:16:48.030", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-10T21:16:48.030", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/sequelize/sequelize/security/advisories/GHSA-6457-6jrx-69cr"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "sequelize: Sequelize: Data exfiltration via SQL injection in JSON/JSONB where clause processing", "id": "2446250", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2446250"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "status": "draft"}, "cwe": "CWE-89", "details": ["No description is available for this CVE."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-30951", "package_state": [{"cpe": "cpe:/a:redhat:confidential_compute_attestation:1", "fix_state": "Affected", "package_name": "openshift-sandboxed-containers/osc-pccs", "product_name": "Confidential Compute Attestation"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "linux-sgx", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "linux-sgx", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Affected", "package_name": "satellite/iop-remediations-rhel9", "product_name": "Red Hat Satellite 6"}], "public_date": "2026-03-10T20:22:46Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-30951\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-30951\nhttps://github.com/sequelize/sequelize/security/advisories/GHSA-6457-6jrx-69cr"], "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[6.0.0-beta.1,6.37.8)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "matching", "scores": [{"score": 95.0, "source": "matching"}]}, "original": {"product": "sequelize", "source": "cna", "vendor": "sequelize"}, "product": "sequelize", "vendor": "sequelizejs"}], "created": "2026-03-11T11:42:51.834956+00:00", "updated": "2026-03-11T11:42:51.835031+00:00", "vendors": ["sequelizejs", "sequelizejs$PRODUCT$sequelize"]}