CVE-2026-33442

Name of the Vulnerable Software and Affected Versions Kysely versions 0.28.12 through 0.28.13

Description Kysely's sanitizeStringLiteral method inadequately handles backslashes when escaping single quotes, leading to potential SQL injection in MySQL databases with the default BACKSLASH ESCAPES SQL mode. Specifically, an attacker can use a backslash before a single quote to bypass the escaping mechanism, injecting arbitrary SQL code. The issue arises when using the .key() method on a JSON path builder, where user-controlled input is not properly sanitized. The sanitizeStringLiteral function only doubles single quotes but does not escape backslashes. This allows an attacker to craft a malicious input string containing a backslash followed by a single quote, which MySQL interprets as an escaped single quote, effectively breaking out of the string literal and enabling SQL injection. The vulnerability affects applications using Kysely with MySQL that pass user-controlled input to .key(), .at(), or other JSON path builder methods.

Recommendations Kysely versions 0.28.12 and 0.28.13 should be updated to version 0.28.14 or later. As a temporary workaround, consider avoiding the use of the .key() JSON path builder method with user-controlled input until a patch is available. If the .key() method must be used with user input, ensure that backslashes are escaped in addition to single quotes before passing the input to the function.