String Concatenation in Raw Queries
Event fields are directly concatenated into SQL strings passed to sequelize.query() without replacements.
SQL injection from AWS Lambda event data in Sequelize raw query
Critical Risk
sql-injection
javascriptnodejsaws-lambdasequelizesql-injectionorm
What it is
SQL injection vulnerability where untrusted event fields are concatenated into SQL passed to sequelize.query without parameterization or proper binding, potentially allowing attackers to read or modify database data, escalate privileges, or run arbitrary queries via crafted Lambda event input.
âšī¸ Configuration Fix
Configuration changes required - see explanation below.
đĄ Explanation
âšī¸ Configuration Fix
Configuration changes required - see explanation below.
đĄ Explanation
Why it happens
Event fields are directly concatenated into SQL strings passed to sequelize.query() without replacements.
Root causes
Fixes
Detect This Vulnerability in Your Code
Sourcery automatically identifies sql injection from aws lambda event data in sequelize raw query and many other security issues in your codebase.