2026-03-26 17:03:05
GitHub_M
PUBLISHED
Kysely is a type-safe TypeScript SQL query builder. Prior to version 0.28.14, Kyselys `DefaultQueryCompiler.sanitizeStringLiteral()` only escapes single quotes by doubling them (`` → ``) but does not escape backslashes. When used with the MySQL dialect (where `NO_BACKSLASH_ESCAPES` is OFF by default), an attacker can use a backslash to escape the trailing quote of a string literal, breaking out of the string context and injecting arbitrary SQL. This affects any code path that uses `ImmediateValueTransformer` to inline values — specifically `CreateIndexBuilder.where()` and `CreateViewBuilder.as()`. Version 0.28.14 contains a fix.