Skip to main content

Drizzle Orm EUVDEUVD-2026-19909

| CVE-2026-39356 HIGH
SQL Injection (CWE-89)
2026-04-07 GitHub_M GHSA-gpj5-g38j-94v9
7.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Patch released
Apr 08, 2026 - 02:30 nvd
Patch available
EUVD ID Assigned
Apr 07, 2026 - 20:16 euvd
EUVD-2026-19909
Analysis Generated
Apr 07, 2026 - 20:16 vuln.today
CVE Published
Apr 07, 2026 - 19:58 nvd
HIGH 7.5

DescriptionGitHub Advisory

Drizzle is a modern TypeScript ORM. Prior to 0.45.2 and 1.0.0-beta.20, Drizzle ORM improperly escaped quoted SQL identifiers in its dialect-specific escapeName() implementations. In affected versions, embedded identifier delimiters were not escaped before the identifier was wrapped in quotes or backticks. As a result, applications that pass attacker-controlled input to APIs that construct SQL identifiers or aliases, such as sql.identifier(), .as(), may allow an attacker to terminate the quoted identifier and inject SQL. This vulnerability is fixed in 0.45.2 and 1.0.0-beta.20.

AnalysisAI

SQL injection in Drizzle ORM (TypeScript) allows unauthenticated remote attackers to extract database contents via improperly escaped SQL identifiers in versions prior to 0.45.2 and 1.0.0-beta.20. Applications passing user-controlled input to sql.identifier() or .as() methods are vulnerable to identifier termination and arbitrary SQL injection. CVSS 7.5 (High) with network attack vector and low complexity. EPSS data not available; no public exploit identified at time of analysis, though the GitHub security advisory provides technical details that could enable exploitation.

Technical ContextAI

Drizzle ORM is a TypeScript object-relational mapping library supporting multiple SQL dialects (PostgreSQL, MySQL, SQLite). The vulnerability exists in dialect-specific escapeName() implementations responsible for safely quoting SQL identifiers (table names, column names, aliases). The flaw (CWE-89: SQL Injection) stems from failure to escape embedded identifier delimiters (quotes, backticks) before wrapping identifiers. For example, if an attacker supplies input like 'users`--' to an .as() alias operation, the backtick character terminates the quoted identifier prematurely, allowing subsequent SQL code injection. This affects any application code path where external input flows into sql.identifier() or .as() API calls without prior validation. The CPE identifies drizzle-team:drizzle-orm as the affected product across all versions prior to the fixed releases.

RemediationAI

Immediately upgrade Drizzle ORM to version 0.45.2 or later for stable releases, or version 1.0.0-beta.20 or later for beta track deployments. Update package.json dependencies and run npm update or yarn upgrade to install the patched version. As an interim mitigation for environments unable to upgrade immediately, implement strict input validation and sanitization before any user-controlled data reaches sql.identifier() or .as() API calls-whitelist allowed identifier names against a known-good set and reject any input containing SQL metacharacters (quotes, backticks, semicolons, dashes). Review application code for all usages of dynamic identifier construction and assess whether untrusted input can reach these code paths. Consider static analysis tooling to identify vulnerable patterns. Consult the GitHub security advisory at https://github.com/drizzle-team/drizzle-orm/security/advisories/GHSA-gpj5-g38j-94v9 for additional technical details and vendor guidance.

Share

EUVD-2026-19909 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy