Drizzle Orm
Monthly
SQL injection in Drizzle ORM (TypeScript) allows unauthenticated remote attackers to extract database contents via improperly escaped SQL identifiers in versions prior to 0.45.2 and 1.0.0-beta.20. Applications passing user-controlled input to sql.identifier() or .as() methods are vulnerable to identifier termination and arbitrary SQL injection. CVSS 7.5 (High) with network attack vector and low complexity. EPSS data not available; no public exploit identified at time of analysis, though the GitHub security advisory provides technical details that could enable exploitation.
SQL injection in Drizzle ORM (TypeScript) allows unauthenticated remote attackers to extract database contents via improperly escaped SQL identifiers in versions prior to 0.45.2 and 1.0.0-beta.20. Applications passing user-controlled input to sql.identifier() or .as() methods are vulnerable to identifier termination and arbitrary SQL injection. CVSS 7.5 (High) with network attack vector and low complexity. EPSS data not available; no public exploit identified at time of analysis, though the GitHub security advisory provides technical details that could enable exploitation.