Vyprsec-Research

**Name of the Vulnerable Software and Affected Versions** Dagster Core versions prior to 1.13.1 Dagster libraries versions prior to 0.29.1 **Description** DuckDB, Snowflake, BigQuery, and DeltaLake I/O managers construct SQL WHERE clauses by interpolating dynamic partition key values into queries without escaping. A user with the `Add Dynamic Partitions` permission can create a partition key that injects arbitrary SQL, which executes against the target database backend using the I/O manager's credentials. This issue only affects deployments using dynamic partitions; pipelines using static or time-window partitions are not impacted. **Recommendations** Update Dagster Core to version 1.13.1. Update Dagster libraries to version 0.29.1.