CVE-2026-33442
SQL Injection in Kysely Query Compiler via Improper String Escaping
Publication date: 2026-03-26
Last updated on: 2026-03-31
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| kysely | kysely | From 0.28.12 (inc) to 0.28.14 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-33442 is a high-severity SQL Injection vulnerability in the Kysely TypeScript SQL query builder library, specifically in versions 0.28.12 and 0.28.13. The issue occurs because the method `sanitizeStringLiteral` escapes single quotes by doubling them but does not escape backslashes. On MySQL databases using the default `BACKSLASH_ESCAPES` SQL mode, an attacker can inject a backslash before a single quote in JSON path keys, which neutralizes the escaping and breaks out of the string literal.
This allows the attacker to inject arbitrary SQL commands through JSON path builder methods like `.key()`. The vulnerability arises because MySQL interprets a backslash before a single quote as an escaped quote, allowing the attacker to terminate the string literal early and append malicious SQL.
The problem is fixed in version 0.28.14 by modifying the `sanitizeStringLiteral` method to also escape backslashes, preventing this bypass.
How can this vulnerability impact me? :
This vulnerability can lead to SQL Injection attacks, allowing an attacker to execute arbitrary SQL commands on your MySQL or MariaDB database when using Kysely versions 0.28.12 or 0.28.13.
- Data exfiltration: Attackers can read sensitive data from the database.
- Data modification: Attackers can alter or corrupt data.
- Data deletion or full database compromise depending on the database user's privileges and configuration.
The attack requires no user interaction or privileges and can be performed remotely over the network, making it highly dangerous.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by analyzing queries generated by Kysely versions 0.28.12 and 0.28.13 that use JSON path keys with user-controlled input. Specifically, look for queries where JSON path string literals contain backslashes before single quotes, which may indicate an attempt to exploit the improper escaping.
To detect exploitation attempts on your system or network, you can monitor MySQL query logs for suspicious patterns such as JSON path expressions containing backslash-single quote sequences (e.g., \').
Example commands to search MySQL logs for potential exploitation attempts include:
- Using grep on MySQL general query log or slow query log files to find suspicious JSON path keys: grep -E "\\'" /path/to/mysql/logfile.log
- Using MySQL to search recent queries if query logging is enabled: SELECT * FROM mysql.general_log WHERE argument LIKE '%\\\'%';
Additionally, review application code or logs for usage of Kysely `.key()` or `.at()` methods with user input that might contain backslashes before single quotes.
What immediate steps should I take to mitigate this vulnerability?
The immediate and recommended mitigation is to upgrade Kysely to version 0.28.14 or later, where the `sanitizeStringLiteral` method has been fixed to properly escape backslashes in addition to single quotes.
If upgrading is not immediately possible, consider implementing a temporary workaround by overriding the `sanitizeStringLiteral` method in your MySQL-specific compiler to escape backslashes as well as single quotes.
Also, review and sanitize any user input passed to `.key()`, `.at()`, or other JSON path builder methods to ensure it does not contain malicious backslash-single quote sequences.
Finally, monitor your database logs for suspicious queries and consider restricting database user privileges and disabling multiple statement execution if possible to reduce the impact of any potential injection.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability enables SQL Injection attacks that can lead to arbitrary SQL execution, including data exfiltration, modification, or deletion depending on database privileges.
Such unauthorized access or manipulation of sensitive data can result in violations of data protection regulations and standards like GDPR and HIPAA, which mandate the protection of personal and health information.
Therefore, if exploited, this vulnerability could compromise compliance by exposing or altering protected data without authorization.