Description
Kysely is a type-safe TypeScript SQL query builder. Prior to version 0.28.14, Kysely's `DefaultQueryCompiler.sanitizeStringLiteral()` only escapes single quotes by doubling them (`'` → `''`) but does not escape backslashes. When used with the MySQL dialect (where `NO_BACKSLASH_ESCAPES` is OFF by default), an attacker can use a backslash to escape the trailing quote of a string literal, breaking out of the string context and injecting arbitrary SQL. This affects any code path that uses `ImmediateValueTransformer` to inline values — specifically `CreateIndexBuilder.where()` and `CreateViewBuilder.as()`. Version 0.28.14 contains a fix.
Published: 2026-03-26
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection allowing arbitrary query execution
Action: Apply Patch
AI Analysis

Impact

Kysely is a type‑safe TypeScript SQL query builder. Prior to version 0.28.14 the sanitation routine for string literals only doubled single quotes but left backslashes untouched. In MySQL, where NO_BACKSLASH_ESCAPES is OFF by default, an attacker can inject a backslash to terminate the string literal, break out of the string context, and execute arbitrary SQL. This control flow is reachable through any code path that uses the ImmediateValueTransformer, such as CreateIndexBuilder.where() or CreateViewBuilder.as(). The vulnerability permits the attacker to inject malicious SQL statements, compromising the confidentiality, integrity, and availability of the database.

Affected Systems

The flaw affects all projects that use the kysely library before version 0.28.14. Any Node.js application that imports this library, targets a MySQL database, and inline values in query builder methods is potentially vulnerable. The vendor identified is kysely-org, and the affected product is the Kysely library. The fix is delivered in release 0.28.14.

Risk and Exploitability

The CVSS score of 8.1 indicates high severity, yet the EPSS score is below 1%, suggesting a low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires that the application accepts unsanitized user input that is inlined into SQL queries and that the MySQL connection uses the default backslash escaping. Without updating to v0.28.14, the risk remains legitimate.

Generated by OpenCVE AI on April 1, 2026 at 06:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to kysely v0.28.14 or newer.

Generated by OpenCVE AI on April 1, 2026 at 06:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-8cpq-38p9-67gx Kysely has a MySQL SQL Injection via Insufficient Backslash Escaping in `sql.lit(string)` usage or similar methods that append string literal values into the compiled SQL strings
History

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Kysely
Kysely kysely
CPEs cpe:2.3:a:kysely:kysely:*:*:*:*:*:node.js:*:*
Vendors & Products Kysely
Kysely kysely

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Kysely-org
Kysely-org kysely
Vendors & Products Kysely-org
Kysely-org kysely

Thu, 26 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Description Kysely is a type-safe TypeScript SQL query builder. Prior to version 0.28.14, Kysely's `DefaultQueryCompiler.sanitizeStringLiteral()` only escapes single quotes by doubling them (`'` → `''`) but does not escape backslashes. When used with the MySQL dialect (where `NO_BACKSLASH_ESCAPES` is OFF by default), an attacker can use a backslash to escape the trailing quote of a string literal, breaking out of the string context and injecting arbitrary SQL. This affects any code path that uses `ImmediateValueTransformer` to inline values — specifically `CreateIndexBuilder.where()` and `CreateViewBuilder.as()`. Version 0.28.14 contains a fix.
Title Kysely has a MySQL SQL Injection via Insufficient Backslash Escaping in `sql.lit(string)` usage or similar methods that append string literal values into the compiled SQL strings
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Kysely Kysely
Kysely-org Kysely
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-26T19:52:10.689Z

Reserved: 2026-03-20T16:16:48.968Z

Link: CVE-2026-33468

cve-icon Vulnrichment

Updated: 2026-03-26T19:50:36.120Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-26T17:16:41.007

Modified: 2026-03-31T21:24:51.107

Link: CVE-2026-33468

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T07:56:38Z

Weaknesses