CVE-2026-33442 is an SQL injection vulnerability affecting the Kysely SQL query builder, specifically versions 0.28.12 and 0.28.13. Kysely is a type-safe TypeScript library used to build SQL queries programmatically. The vulnerability stems from the sanitizeStringLiteral method in Kysely's query compiler, which escapes single quotes by doubling them (' → '') but does not escape backslashes. In MySQL databases configured with the default BACKSLASH_ESCAPES SQL mode, a backslash acts as an escape character. An attacker can exploit this by injecting a backslash before a single quote within a JSON path string literal, effectively neutralizing the escaping mechanism. This allows the attacker to break out of the intended string context and inject arbitrary SQL commands. Such injection can lead to unauthorized data access, data modification, or denial of service. The vulnerability does not require authentication or user interaction, increasing its risk. The issue was identified and fixed in Kysely version 0.28.14, which properly handles backslash escaping to prevent injection. No known exploits are reported in the wild yet, but the high CVSS score (8.1) reflects the critical nature of the flaw due to its potential impact and ease of exploitation in vulnerable environments.

The SQL injection vulnerability in Kysely can have severe consequences for organizations using affected versions with MySQL databases. Exploitation can lead to unauthorized disclosure of sensitive data, data corruption or deletion, and potential full compromise of the database server. Since the vulnerability requires no authentication or user interaction, attackers can remotely exploit it if they can influence query inputs, such as through web applications or APIs using Kysely. This can result in data breaches, loss of data integrity, service outages, and reputational damage. Organizations relying on Kysely for database interactions may face compliance violations if sensitive data is exposed. The impact is amplified in environments where MySQL's default BACKSLASH_ESCAPES mode is enabled, which is common. Given the widespread use of TypeScript and Node.js in modern web applications, many organizations globally could be affected if they use the vulnerable Kysely versions without patching.

The primary mitigation is to upgrade Kysely to version 0.28.14 or later, where the vulnerability is fixed by properly escaping backslashes in string literals. Organizations should audit their codebases to identify usage of Kysely versions 0.28.12 or 0.28.13 and plan immediate upgrades. Additionally, developers should review all SQL query constructions to ensure proper parameterization and avoid manual string concatenation. Enforcing the use of parameterized queries or prepared statements can reduce injection risks. Database administrators should verify MySQL SQL modes and consider disabling BACKSLASH_ESCAPES if feasible, although this may impact application compatibility. Implementing Web Application Firewalls (WAFs) with rules to detect and block SQL injection patterns can provide temporary protection. Finally, monitoring database logs for suspicious query patterns and unusual activity can help detect exploitation attempts early.