Affected versions of sequelize use MySQL's backslash-based escape syntax when connecting to SQLite, despite the fact that SQLite uses PostgreSQL's escape syntax, which can result in a SQL Injection vulnerability.

Recommendation

Update to version 1.7.0-alpha3 or later.

References

• https://nvd.nist.gov/vuln/detail/CVE-2016-10554
• sequelize/sequelize@c876192
• GHSA-x2jc-pwfj-h9p3
• https://www.npmjs.com/advisories/113