Last year, during a tangent for a project, Kevin and I found a series of vulnerabilities in (combinations of) several Node.js packages that led to critical issues for our client, and most likely other users as well.
__proto__. All in all, this resulted in 6 CVEs in three different packages (Feathers.js, Sequelize and Socket.IO).
You can read the full write-up here.
- CVE-2022-29822 - Feathers - Improper parameter filtering in the Feathers js library, which may ultimately lead to SQL injection
- CVE-2022-2422 - Feathers - SQL injection via attribute aliases
- CVE-2023-22580 - Sequelize - Bad query filtering leading to SQL errors
- CVE-2023-22579 - Sequelize - Unsafe fall-through in getWhereConditions
- CVE-2023-22578 - Sequelize - Default support for “raw attributes” when using parentheses
- CVE-2022-2421 - Socket.IO - Improper type validation in attachment parsing