CVE-2026-44635
JSON Path Injection in Kysely TypeScript Query Builder
Publication date: 2026-05-27
Last updated on: 2026-05-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| kysely | kysely | to 0.28.16 (inc) |
| kysely | kysely | 0.28.17 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-915 | The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified. |
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
| CWE-1284 | The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties. |
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects Kysely, a type-safe TypeScript SQL query builder, in versions from 0.26.0 to 0.28.16. The issue lies in the DefaultQueryCompiler.visitJSONPathLeg function, which does not escape JSON-path metacharacters such as ., [, ], *, **, and ?. When attacker-controlled input is passed into certain functions like eb.ref(col, '->$').key(input) or .at(input), each dot in the input is treated as a path-leg separator. This allows an attacker to traverse from the intended JSON key into sibling and child fields that the developer did not intend to expose.
As a result, the attacker can gain read access, and in update statements, write access to JSON sub-fields outside the intended scope across databases like MySQL, PostgreSQL, and SQLite. This vulnerability was fixed in version 0.28.17.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to access and potentially modify JSON data fields that were not meant to be accessible. Specifically, the attacker can read sensitive data from sibling or child JSON fields beyond the intended key, and in some cases, write or update those fields.
Such unauthorized access and modification can lead to data leakage, data integrity issues, and potential compromise of application logic or user data stored in JSON columns within supported databases like MySQL, PostgreSQL, and SQLite.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade Kysely to version 0.28.17 or later where the issue is fixed.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows attackers to read and modify JSON sub-fields beyond the intended scope, potentially exposing sensitive data such as tokens, Social Security Numbers (SSNs), or admin flags.
Such unauthorized access and modification of sensitive personal or protected health information can lead to non-compliance with data protection regulations and standards like GDPR and HIPAA, which mandate strict controls over access to and integrity of sensitive data.
Therefore, exploitation of this vulnerability could result in violations of these regulations due to improper data exposure and unauthorized data changes.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for usage of the Kysely SQL query builder versions 0.26.0 to 0.28.16 in your environment, especially where JSON-path methods `.key()` or `.at()` are used with attacker-controlled input.
Detection involves identifying queries or logs where JSON-path metacharacters such as dots (.), brackets ([ ]), asterisks (*), double asterisks (**), or question marks (?) appear in inputs to `.key()` or `.at()` methods, which could indicate attempted path traversal.
Since this is a code-level vulnerability, network detection might include searching for suspicious payloads in application logs or network traffic that contain JSON-path metacharacters used in these methods.
Suggested commands to detect potential exploitation attempts could include grepping application logs or source code for vulnerable method usage patterns, for example:
- grep -rE '\.key\(|\.at\(' /path/to/source/code
- grep -rE '[\.\[\]\*\?]' /path/to/application/logs
Additionally, monitoring database query logs for JSON-path expressions containing unexpected metacharacters in keys may help detect exploitation attempts.