Sequelize v6.37.8 Patches Critical SQL Injection Vulnerability (CVE-2026-30951)

A critical security flaw in the popular Sequelize ORM for Node.js has been patched, exposing countless applications to SQL injection attacks. The vulnerability, tracked as CVE-2026-30951, resides in the library's JSON/JSONB `where` clause processing. Specifically, the `_traverseJSON()` function splits JSON path keys on the `::` delimiter to extract a cast type, which is then interpolated raw into the generated `CAST(... AS <type>)` SQL statement. This design flaw creates a direct vector for attackers who can control JSON object keys to inject malicious SQL code.

The patch is delivered in Sequelize version 6.37.8, which updates from the vulnerable 6.37.5. The update was flagged as a security priority and autoclosed a related dependency update pull request on GitHub, underscoring its urgency. The vulnerability advisory (GHSA-6457-6jrx-69cr) confirms the exploit path, making this a high-severity issue for any application using Sequelize's JSON query features without proper input sanitization.

This patch is a mandatory update for all development and security teams. The risk is not theoretical; it is a functional exploit in a core data access layer used by thousands of projects. Failure to upgrade leaves database layers open to direct manipulation, potentially leading to data exfiltration, corruption, or complete system compromise. The autoclosed PR and explicit security label signal that this is a live threat requiring immediate remediation.