Improper Control of Generation of Code (‘Code Injection’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-94: Improper Control of Generation of Code (‘Code Injection’) |
| OWASP | A03:2021 - Injection |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
Description#
Disabling server certificate verification by setting ‘rejectUnauthorized: false’ in Sequelize’s TLS options makes the database connection vulnerable to attackers impersonating the server. This bypasses SSL security and exposes sensitive data in transit.
Impact#
An attacker could perform a man-in-the-middle (MITM) attack, intercepting or altering data sent between your Node.js app and the database. This could lead to data theft, manipulation, or unauthorized access to sensitive information, compromising the security of your application and its users.