Kysely is a type-safe SQL query builder for TypeScript that supports various SQL dialects including MySQL and SQLite. Versions from 0.26.0 through 0.28.11 contain a critical SQL injection vulnerability (CVE-2026-32763) due to improper neutralization of special elements in JSON path compilation. Specifically, the function visitJSONPathLeg() appends user-controlled values from the .key() and .at() methods directly into single-quoted JSON path string literals without escaping single quotes. Unlike identifier escaping handled by sanitizeIdentifier(), these JSON path components are not sanitized, allowing attackers to break out of the JSON path string context and inject arbitrary SQL code. This vulnerability affects the confidentiality and integrity of the database by enabling unauthorized data access or manipulation. The vulnerability is remotely exploitable without authentication or user interaction, increasing its risk. The issue was fixed in version 0.28.12 by implementing proper escaping of JSON path inputs, preventing injection attacks. No known exploits are currently reported in the wild, but the high CVSS score (8.2) reflects the severity and ease of exploitation.

The SQL injection vulnerability in Kysely can lead to unauthorized disclosure of sensitive data, data tampering, or partial compromise of database integrity. Since Kysely is a query builder used in TypeScript applications interfacing with MySQL and SQLite, any application using affected versions is at risk. Attackers can remotely execute arbitrary SQL commands without authentication, potentially extracting confidential information or corrupting data. This can result in data breaches, regulatory non-compliance, and loss of customer trust. The vulnerability does not affect availability directly but can cause significant operational and reputational damage. Organizations relying on Kysely for backend database interactions, especially those handling sensitive or regulated data, face elevated risk until patched.

Immediate upgrade to Kysely version 0.28.12 or later is the primary mitigation to ensure proper escaping of JSON path inputs. Until upgrade is possible, organizations should audit all usages of .key() and .at() methods in JSON path queries to identify potentially unsafe patterns. Avoid passing user-controlled input directly into JSON path components without manual sanitization. Implement additional input validation and sanitization layers at the application level to reject or escape single quotes and other special characters in JSON path inputs. Employ runtime monitoring and anomaly detection to identify suspicious SQL query patterns indicative of injection attempts. Restrict database user privileges to minimize impact if exploitation occurs. Finally, conduct security testing and code reviews focusing on SQL injection vectors in query builder usage.