CVE-2026-33468

Name of the Vulnerable Software and Affected Versions Kysely versions prior to 0.28.14

Description Kysely's DefaultQueryCompiler.sanitizeStringLiteral() function inadequately escapes backslashes when handling string literals. Specifically, it only doubles single quotes but does not address backslashes. When used with the MySQL dialect, where NO BACKSLASH ESCAPES is typically OFF, an attacker can leverage this to escape the closing quote of a string literal, enabling arbitrary SQL injection. This issue impacts code paths utilizing ImmediateValueTransformer for inline values, notably CreateIndexBuilder.where() and CreateViewBuilder.as(). The root cause lies in the sanitizeStringLiteral() function, which uses a regular expression that only targets single quotes. The function is called within appendStringLiteral(), which wraps the sanitized value in single quotes. The MysqlQueryCompiler inherits this behavior without overriding the sanitizeStringLiteral() function. An attacker can exploit this by crafting input containing backslashes to escape the closing quote, effectively injecting malicious SQL code. A proof-of-concept demonstrates how a crafted input can bypass the intended string literal context and execute arbitrary SQL commands, potentially leading to data exfiltration, modification, or authentication bypass.

Recommendations Versions prior to 0.28.14 should be updated to version 0.28.14 or later. The MysqlQueryCompiler should override the sanitizeStringLiteral() function to escape backslashes before doubling single quotes. Specifically, the backslash character should be escaped as `` before doubling the single quotes.