0X90Sh

Name of the Vulnerable Software and Affected Versions Drizzle versions prior to 0.45.2 and 1.0.0-beta.20 Description Drizzle ORM does not properly escape quoted SQL identifiers in its `escapeName()` implementations. This can allow an attacker to terminate the quoted identifier and inject SQL when applications pass attacker-controlled input to APIs that construct SQL identifiers or aliases, such as `sql.identifier()` and `.as()`. Recommendations Update to version 0.45.2 or 1.0.0-beta.20.