Kysely has a MySQL SQL Injection via Backslash Escape Bypass in non-type-safe usage of JSON path keys.
- Severity:
- High
Description
The sanitizeStringLiteral method in Kysely’s query compiler escapes single quotes (' → '') but does not escape backslashes. On MySQL with the default BACKSLASH_ESCAPES SQL mode, an attacker can inject a backslash before a single quote to neutralize the escaping, breaking out of the JSON path string literal and injecting arbitrary SQL.
Recommendation
Update the kysely package to the latest compatible version. Followings are version details:
- Affected version(s): >= 0.28.12, <= 0.28.13
- Patched version(s): 0.28.14
References
Related Issues
- Kysely has a MySQL SQL Injection via Insufficient Backslash Escaping in `sql.lit(string)` usage or similar methods that - CVE-2026-33468
- SQL Injection via unsanitized JSON path keys when ignoring/silencing compilation errors or using `Kysely<any>`. - CVE-2026-32763
- Parse Server has a NoSQL injection via token type in password reset and email verification endpoints - CVE-2026-30941
- fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names - CVE-2026-25896
- Tags:
- npm
- kysely
Anything's wrong? Let us know Last updated on March 27, 2026