Description
Drizzle is a modern TypeScript ORM. Prior to 0.45.2 and 1.0.0-beta.20, Drizzle ORM improperly escaped quoted SQL identifiers in its dialect-specific escapeName() implementations. In affected versions, embedded identifier delimiters were not escaped before the identifier was wrapped in quotes or backticks. As a result, applications that pass attacker-controlled input to APIs that construct SQL identifiers or aliases, such as sql.identifier(), .as(), may allow an attacker to terminate the quoted identifier and inject SQL. This vulnerability is fixed in 0.45.2 and 1.0.0-beta.20.
Published: 2026-04-07
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection
Action: Immediate Patch
AI Analysis

Impact

Drizzle ORM incorrectly escaped quoted SQL identifiers in its escapeName() implementations, allowing attacker-controlled input to terminate a quoted identifier and inject arbitrary SQL. This flaw directly maps to CWE-89 and can result in unintended data disclosure or modification through the manipulated SQL query.

Affected Systems

Applications built with drizzle-team/drizzle-orm versions earlier than 0.45.2 for the stable branch or earlier than 1.0.0-beta.20 for the beta branch are affected. Any API that accepts attacker-controlled identifiers, such as sql.identifier() or .as(), can be vulnerable.

Risk and Exploitability

The CVSS score of 7.5 indicates moderate to high severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog, suggesting it may not be widely exploited yet. Exploitation requires passing malicious input through an interface that constructs SQL identifiers; thus the attack vector is likely via application input (e.g., web form or API endpoint). While the vulnerability can lead to significant compromise of data integrity and confidentiality, it does not provide direct remote code execution. The risk is therefore substantial for exposed applications that accept arbitrary identifier input without validation.

Generated by OpenCVE AI on April 7, 2026 at 22:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade drizzle-orm to version 0.45.2 or later, or 1.0.0-beta.20 or later if using the beta branch.

Generated by OpenCVE AI on April 7, 2026 at 22:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-gpj5-g38j-94v9 Drizzle ORM has SQL injection via improperly escaped SQL identifiers
History

Wed, 15 Apr 2026 17:30:00 +0000

Type Values Removed Values Added
First Time appeared Drizzle
Drizzle drizzle
CPEs cpe:2.3:a:drizzle:drizzle:*:*:*:*:*:node.js:*:*
cpe:2.3:a:drizzle:drizzle:1.0.0:beta11:*:*:*:node.js:*:*
cpe:2.3:a:drizzle:drizzle:1.0.0:beta12:*:*:*:node.js:*:*
cpe:2.3:a:drizzle:drizzle:1.0.0:beta13:*:*:*:node.js:*:*
cpe:2.3:a:drizzle:drizzle:1.0.0:beta14:*:*:*:node.js:*:*
cpe:2.3:a:drizzle:drizzle:1.0.0:beta15:*:*:*:node.js:*:*
cpe:2.3:a:drizzle:drizzle:1.0.0:beta16:*:*:*:node.js:*:*
cpe:2.3:a:drizzle:drizzle:1.0.0:beta17:*:*:*:node.js:*:*
cpe:2.3:a:drizzle:drizzle:1.0.0:beta18:*:*:*:node.js:*:*
cpe:2.3:a:drizzle:drizzle:1.0.0:beta19:*:*:*:node.js:*:*
cpe:2.3:a:drizzle:drizzle:1.0.0:beta1:*:*:*:node.js:*:*
cpe:2.3:a:drizzle:drizzle:1.0.0:beta2:*:*:*:node.js:*:*
cpe:2.3:a:drizzle:drizzle:1.0.0:beta3:*:*:*:node.js:*:*
cpe:2.3:a:drizzle:drizzle:1.0.0:beta4:*:*:*:node.js:*:*
cpe:2.3:a:drizzle:drizzle:1.0.0:beta5:*:*:*:node.js:*:*
cpe:2.3:a:drizzle:drizzle:1.0.0:beta6:*:*:*:node.js:*:*
cpe:2.3:a:drizzle:drizzle:1.0.0:beta7:*:*:*:node.js:*:*
cpe:2.3:a:drizzle:drizzle:1.0.0:beta8:*:*:*:node.js:*:*
cpe:2.3:a:drizzle:drizzle:1.0.0:beta9:*:*:*:node.js:*:*
Vendors & Products Drizzle
Drizzle drizzle

Wed, 08 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Drizzle-team
Drizzle-team drizzle-orm
Vendors & Products Drizzle-team
Drizzle-team drizzle-orm

Wed, 08 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Description Drizzle is a modern TypeScript ORM. Prior to 0.45.2 and 1.0.0-beta.20, Drizzle ORM improperly escaped quoted SQL identifiers in its dialect-specific escapeName() implementations. In affected versions, embedded identifier delimiters were not escaped before the identifier was wrapped in quotes or backticks. As a result, applications that pass attacker-controlled input to APIs that construct SQL identifiers or aliases, such as sql.identifier(), .as(), may allow an attacker to terminate the quoted identifier and inject SQL. This vulnerability is fixed in 0.45.2 and 1.0.0-beta.20.
Title SQL Injection via escapeName() in all Drizzle ORM SQL dialects
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Drizzle Drizzle
Drizzle-team Drizzle-orm
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-08T14:33:54.466Z

Reserved: 2026-04-06T21:29:17.349Z

Link: CVE-2026-39356

cve-icon Vulnrichment

Updated: 2026-04-08T14:33:47.867Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-07T20:16:29.610

Modified: 2026-04-15T17:19:47.367

Link: CVE-2026-39356

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:45:54Z

Weaknesses