Description
Kysely is a type-safe TypeScript SQL query builder. Versions up to and including 0.28.11 has a SQL injection vulnerability in JSON path compilation for MySQL and SQLite dialects. The `visitJSONPathLeg()` function appends user-controlled values from `.key()` and `.at()` directly into single-quoted JSON path string literals (`'$.key'`) without escaping single quotes. An attacker can break out of the JSON path string context and inject arbitrary SQL. This is inconsistent with `sanitizeIdentifier()`, which properly doubles delimiter characters for identifiers — both are non-parameterizable SQL constructs requiring manual escaping, but only identifiers are protected. Version 0.28.12 fixes the issue.
Published: 2026-03-19
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection
Action: Patch
AI Analysis

Impact

Kysely is a type‑safe TypeScript SQL query builder. In versions up to and including 0.28.11 a SQL injection flaw exists in the handling of JSON path keys for the MySQL and SQLite dialects. The function visitJSONPathLeg() appends values supplied via .key() or .at() directly into single‑quoted JSON path string literals such as '$.key' without escaping single quotes. This allows an attacker to terminate the JSON path string and inject arbitrary SQL statements, potentially leading to data exfiltration, modification, or deletion.

Affected Systems

Systems affected are applications that use the Kysely library (kysely‑org:kysely) with the MySQL or SQLite dialects, and which provide user input to the .key() or .at() methods. Any installation of Kysely with version 0.28.11 or earlier is vulnerable. The issue is mitigated in version 0.28.12 and later.

Risk and Exploitability

The vulnerability has a CVSS score of 8.2, indicating high severity. No EPSS score is available and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires only that an attacker can supply malicious JSON path keys and that the application does not enforce strict error handling or use parameterized queries for this code path. The lack of public exploit evidence does not diminish the risk, given the simplicity of the injection path and the potential impact on data integrity and confidentiality.

Generated by OpenCVE AI on March 20, 2026 at 00:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Kysely to version 0.28.12 or later

Generated by OpenCVE AI on March 20, 2026 at 00:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-wmrf-hv6w-mr66 SQL Injection via unsanitized JSON path keys when ignoring/silencing compilation errors or using `Kysely<any>`.
History

Wed, 08 Apr 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Kysely
Kysely kysely
CPEs cpe:2.3:a:kysely:kysely:*:*:*:*:*:node.js:*:*
Vendors & Products Kysely
Kysely kysely

Sat, 21 Mar 2026 05:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Kysely-org
Kysely-org kysely
Vendors & Products Kysely-org
Kysely-org kysely

Thu, 19 Mar 2026 23:30:00 +0000

Type Values Removed Values Added
Description Kysely is a type-safe TypeScript SQL query builder. Versions up to and including 0.28.11 has a SQL injection vulnerability in JSON path compilation for MySQL and SQLite dialects. The `visitJSONPathLeg()` function appends user-controlled values from `.key()` and `.at()` directly into single-quoted JSON path string literals (`'$.key'`) without escaping single quotes. An attacker can break out of the JSON path string context and inject arbitrary SQL. This is inconsistent with `sanitizeIdentifier()`, which properly doubles delimiter characters for identifiers — both are non-parameterizable SQL constructs requiring manual escaping, but only identifiers are protected. Version 0.28.12 fixes the issue.
Title SQL Injection via unsanitized JSON path keys when ignoring/silencing compilation errors or using `Kysely<any>`.
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

Subscriptions

Kysely Kysely
Kysely-org Kysely
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-21T03:05:22.505Z

Reserved: 2026-03-13T18:53:03.533Z

Link: CVE-2026-32763

cve-icon Vulnrichment

Updated: 2026-03-21T03:05:00.664Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T00:16:17.790

Modified: 2026-04-08T20:57:45.050

Link: CVE-2026-32763

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T10:43:46Z

Weaknesses