EUVD-2026-19909
GHSA-gpj5-g38j-94v9
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
4Tags
Description
Drizzle is a modern TypeScript ORM. Prior to 0.45.2 and 1.0.0-beta.20, Drizzle ORM improperly escaped quoted SQL identifiers in its dialect-specific escapeName() implementations. In affected versions, embedded identifier delimiters were not escaped before the identifier was wrapped in quotes or backticks. As a result, applications that pass attacker-controlled input to APIs that construct SQL identifiers or aliases, such as sql.identifier(), .as(), may allow an attacker to terminate the quoted identifier and inject SQL. This vulnerability is fixed in 0.45.2 and 1.0.0-beta.20.
Analysis
SQL injection in Drizzle ORM (TypeScript) allows unauthenticated remote attackers to extract database contents via improperly escaped SQL identifiers in versions prior to 0.45.2 and 1.0.0-beta.20. Applications passing user-controlled input to sql.identifier() or .as() methods are vulnerable to identifier termination and arbitrary SQL injection. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: audit all Drizzle ORM implementations to identify versions prior to 0.45.2 and 1.0.0-beta.20, and inventory all code paths using sql.identifier() or .as() with user-controlled input. Within 7 days: upgrade Drizzle ORM to version 0.45.2 or 1.0.0-beta.20 or later across all affected applications, and conduct code review of identifier usage patterns. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today