Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
4DescriptionGitHub Advisory
Drizzle is a modern TypeScript ORM. Prior to 0.45.2 and 1.0.0-beta.20, Drizzle ORM improperly escaped quoted SQL identifiers in its dialect-specific escapeName() implementations. In affected versions, embedded identifier delimiters were not escaped before the identifier was wrapped in quotes or backticks. As a result, applications that pass attacker-controlled input to APIs that construct SQL identifiers or aliases, such as sql.identifier(), .as(), may allow an attacker to terminate the quoted identifier and inject SQL. This vulnerability is fixed in 0.45.2 and 1.0.0-beta.20.
AnalysisAI
SQL injection in Drizzle ORM (TypeScript) allows unauthenticated remote attackers to extract database contents via improperly escaped SQL identifiers in versions prior to 0.45.2 and 1.0.0-beta.20. Applications passing user-controlled input to sql.identifier() or .as() methods are vulnerable to identifier termination and arbitrary SQL injection. CVSS 7.5 (High) with network attack vector and low complexity. EPSS data not available; no public exploit identified at time of analysis, though the GitHub security advisory provides technical details that could enable exploitation.
Technical ContextAI
Drizzle ORM is a TypeScript object-relational mapping library supporting multiple SQL dialects (PostgreSQL, MySQL, SQLite). The vulnerability exists in dialect-specific escapeName() implementations responsible for safely quoting SQL identifiers (table names, column names, aliases). The flaw (CWE-89: SQL Injection) stems from failure to escape embedded identifier delimiters (quotes, backticks) before wrapping identifiers. For example, if an attacker supplies input like 'users`--' to an .as() alias operation, the backtick character terminates the quoted identifier prematurely, allowing subsequent SQL code injection. This affects any application code path where external input flows into sql.identifier() or .as() API calls without prior validation. The CPE identifies drizzle-team:drizzle-orm as the affected product across all versions prior to the fixed releases.
RemediationAI
Immediately upgrade Drizzle ORM to version 0.45.2 or later for stable releases, or version 1.0.0-beta.20 or later for beta track deployments. Update package.json dependencies and run npm update or yarn upgrade to install the patched version. As an interim mitigation for environments unable to upgrade immediately, implement strict input validation and sanitization before any user-controlled data reaches sql.identifier() or .as() API calls-whitelist allowed identifier names against a known-good set and reject any input containing SQL metacharacters (quotes, backticks, semicolons, dashes). Review application code for all usages of dynamic identifier construction and assess whether untrusted input can reach these code paths. Consider static analysis tooling to identify vulnerable patterns. Consult the GitHub security advisory at https://github.com/drizzle-team/drizzle-orm/security/advisories/GHSA-gpj5-g38j-94v9 for additional technical details and vendor guidance.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-19909
GHSA-gpj5-g38j-94v9