Kysely’s query compiler contains a flaw in the sanitizeStringLiteral method that only escapes single quotes but leaves backslashes untouched. On MySQL databases running the default BACKSLASH_ESCAPES mode, an attacker can prepend a backslash to an input string, neutralizing the escape of a following single quote. This allows the attacker to terminate the JSON path string literal and inject arbitrary SQL statements through the query builder, potentially causing unauthorized data disclosure or modification. The defect is a classic SQL injection weakness described by CWE‑89.

The affected product is Kysely, maintained by kysely‑org. Versions 0.28.12 and 0.28.13 are vulnerable when used with a MySQL backend that has the default BACKSLASH_ESCAPES mode enabled. All applications that rely on these library versions to build SQL queries from user‑supplied JSON path keys are at risk. The issue was remedied in version 0.28.14, which now properly escapes backslashes.

The vulnerability scores 8.1 on the CVSS scale, indicating a high severity of potential impact. EPSS analysis shows the probability of exploitation is below 1%, and it is not listed in the CISA Known Exploited Vulnerabilities catalog. Based on the description, the likely attack vector involves an application that constructs dynamic SQL using JSON path keys, where an attacker can supply a crafted input to the underlying query builder. While exploitation enables arbitrary SQL execution, it requires the vulnerable library version and integration with a MySQL database running the default BACKSLASH_ESCAPES mode.