SYM_JSTS_0148 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Control of Generation of Code ('Code Injection')
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-94: Improper Control of Generation of Code ('Code Injection') |
| OWASP | A03:2021 - Injection |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
Description
Disabling server certificate verification by setting 'rejectUnauthorized: false' in Sequelize's TLS options makes the database connection vulnerable to attackers impersonating the server. This bypasses SSL security and exposes sensitive data in transit.
Impact
An attacker could perform a man-in-the-middle (MITM) attack, intercepting or altering data sent between your Node.js app and the database. This could lead to data theft, manipulation, or unauthorized access to sensitive information, compromising the security of your application and its users.