CVE-2026-39356

Overview

Drizzle ORM versions prior to 0.45.2 and 1.0.0-beta.20 contain a SQL injection vulnerability in the escapeName() function used by PostgreSQL, MySQL, SQLite, SingleStore, and Gel dialects. The function wraps identifiers in quotes or backticks but does not escape the delimiter character (double quote “ for PostgreSQL/SQLite/Gel, backtick ` `` for MySQL/SingleStore) if it appears inside the identifier value. This omission allows an attacker to prematurely terminate the quoted identifier and inject arbitrary SQL syntax [2].

Exploitation

An attacker can trigger the vulnerability by providing untrusted input to APIs that construct SQL identifiers or aliases, such as sql.identifier() or .as(). A common exploitation pattern involves dynamic sorting where user-controlled column names are passed directly into sql.identifier(), e.g., req.query.sort used in an orderBy clause. No authentication bypass is required; the attacker only needs the ability to supply a string value to a vulnerable query-building path [2].

Impact

Successful exploitation can lead to blind or direct data disclosure, schema enumeration, query manipulation, privilege escalation, or destructive operations, depending on database dialect, query context, and database permissions. Applications that only use static schema objects or enforce an allowlist of known column/alias names are not affected [1][2].

Mitigation

The vulnerability is fixed in Drizzle ORM versions 0.45.2 and 1.0.0-beta.20. Users are advised to upgrade immediately. As a workaround, input passed to identifier-construction APIs should be validated against an allowlist of expected values [1][2].