Description
Kysely is a type-safe TypeScript SQL query builder. Versions up to and including 0.28.11 has a SQL injection vulnerability in JSON path compilation for MySQL and SQLite dialects. The `visitJSONPathLeg()` function appends user-controlled values from `.key()` and `.at()` directly into single-quoted JSON path string literals (`'$.key'`) without escaping single quotes. An attacker can break out of the JSON path string context and inject arbitrary SQL. This is inconsistent with `sanitizeIdentifier()`, which properly doubles delimiter characters for identifiers — both are non-parameterizable SQL constructs requiring manual escaping, but only identifiers are protected. Version 0.28.12 fixes the issue.
Published: 2026-03-19
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection
Action: Patch Now
AI Analysis

Impact

Kysely is a type‑safe TypeScript SQL query builder. In versions up to and including 0.28.11, the JSON path compiler for MySQL and SQLite concatenates user‑controlled values supplied via the .key() and .at() methods directly into single‑quoted JSON path string literals without escaping single quotes. This omission permits an attacker to terminate the JSON path string and injected malicious SQL into the query. The flaw is a classic SQL Injection (CWE‑89) that can allow an attacker to read, modify or delete data in the database, thereby compromising confidentiality, integrity, and availability of the application’s data.

Affected Systems

Any Node.js application that imports the kysely-org/kysely library and uses the .key() or .at() methods to build JSON path expressions against MySQL or SQLite is affected. All releases up to 0.28.11 are vulnerable; the fix is included in release 0.28.12 and later.

Risk and Exploitability

The vulnerability carries a high severity with a CVSS score of 8.2. Its EPSS score is below 1% and it is not listed in the CISA KEV catalog, suggesting a low likelihood of widespread exploitation for the time being. However, the attack vector is straightforward: an attacker who can influence data passed to .key() or .at() can inject arbitrary SQL. This can provide the same level of access as the application, potentially leading to data exfiltration or modification.

Generated by OpenCVE AI on April 8, 2026 at 23:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Kysely 0.28.12 or later to apply the fix.
  • If an immediate upgrade is not possible, avoid passing untrusted data to the .key() or .at() methods; instead validate or escape values manually and use Kysely’s identifier sanitization utilities when constructing JSON paths.

Generated by OpenCVE AI on April 8, 2026 at 23:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-wmrf-hv6w-mr66 SQL Injection via unsanitized JSON path keys when ignoring/silencing compilation errors or using `Kysely<any>`.
History

Wed, 08 Apr 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Kysely
Kysely kysely
CPEs cpe:2.3:a:kysely:kysely:*:*:*:*:*:node.js:*:*
Vendors & Products Kysely
Kysely kysely

Sat, 21 Mar 2026 05:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Kysely-org
Kysely-org kysely
Vendors & Products Kysely-org
Kysely-org kysely

Thu, 19 Mar 2026 23:30:00 +0000

Type Values Removed Values Added
Description Kysely is a type-safe TypeScript SQL query builder. Versions up to and including 0.28.11 has a SQL injection vulnerability in JSON path compilation for MySQL and SQLite dialects. The `visitJSONPathLeg()` function appends user-controlled values from `.key()` and `.at()` directly into single-quoted JSON path string literals (`'$.key'`) without escaping single quotes. An attacker can break out of the JSON path string context and inject arbitrary SQL. This is inconsistent with `sanitizeIdentifier()`, which properly doubles delimiter characters for identifiers — both are non-parameterizable SQL constructs requiring manual escaping, but only identifiers are protected. Version 0.28.12 fixes the issue.
Title SQL Injection via unsanitized JSON path keys when ignoring/silencing compilation errors or using `Kysely<any>`.
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

Subscriptions

Kysely Kysely
Kysely-org Kysely
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-21T03:05:22.505Z

Reserved: 2026-03-13T18:53:03.533Z

Link: CVE-2026-32763

cve-icon Vulnrichment

Updated: 2026-03-21T03:05:00.664Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T00:16:17.790

Modified: 2026-04-08T20:57:45.050

Link: CVE-2026-32763

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:29:44Z

Weaknesses