Kysely is a type-safe SQL query builder for TypeScript that helps developers construct SQL queries programmatically. Prior to version 0.28.14, Kysely's DefaultQueryCompiler.sanitizeStringLiteral() method attempted to prevent SQL injection by escaping single quotes in string literals by doubling them. However, it neglected to escape backslash characters. In MySQL dialects where the NO_BACKSLASH_ESCAPES mode is OFF (the default setting), backslashes serve as escape characters within string literals. An attacker can leverage this by injecting a backslash before the closing quote of a string literal, effectively escaping the quote and breaking out of the intended string context. This allows arbitrary SQL code injection. The vulnerability specifically affects code paths that use ImmediateValueTransformer to inline values into queries, such as CreateIndexBuilder.where() and CreateViewBuilder.as(). Because these methods inline user-controlled values without proper escaping of backslashes, they become vectors for SQL injection. The vulnerability has a CVSS 3.1 score of 8.1 (high severity), indicating a network attack vector with high impact on confidentiality, integrity, and availability, but requiring high attack complexity and no privileges or user interaction. The flaw was reserved on March 20, 2026, and published on March 26, 2026. No known exploits have been reported in the wild yet. The issue is fixed in Kysely version 0.28.14, which properly escapes backslashes in string literals to prevent injection. This vulnerability underscores the importance of comprehensive input sanitization and awareness of database-specific escape mechanisms in query builders.

This vulnerability allows remote attackers to perform SQL injection attacks against applications using vulnerable versions of Kysely with MySQL backends. Successful exploitation can lead to unauthorized data disclosure, data modification, or deletion, compromising confidentiality, integrity, and availability of the database. Attackers could execute arbitrary SQL commands, potentially extracting sensitive information, bypassing authentication, or corrupting data. Since Kysely is a query builder used in TypeScript applications, any web or backend service relying on it for database interactions is at risk. The impact is significant for organizations that use Kysely with MySQL databases, especially those that inline user input into queries without additional sanitization. This could affect web applications, APIs, and microservices, leading to data breaches and service disruptions. The lack of required privileges or user interaction lowers the barrier for exploitation, increasing risk. Although no exploits are known in the wild yet, the high CVSS score and public disclosure mean attackers may develop exploits soon, raising urgency for remediation.

The primary mitigation is to upgrade Kysely to version 0.28.14 or later, which includes the fix that properly escapes backslashes in string literals. Until upgrading is possible, organizations should audit all code paths that use ImmediateValueTransformer, especially CreateIndexBuilder.where() and CreateViewBuilder.as(), to ensure no untrusted input is inlined without proper escaping or parameterization. Avoid inlining user input directly into queries; instead, use parameterized queries or prepared statements wherever possible. Additionally, consider enabling MySQL's NO_BACKSLASH_ESCAPES mode to disable backslash escaping, though this may require application compatibility testing. Implement Web Application Firewalls (WAFs) with SQL injection detection rules to provide a layer of defense. Monitor logs for suspicious query patterns indicative of injection attempts. Conduct security code reviews focused on query construction and input sanitization. Educate developers about database-specific escaping nuances and the risks of improper sanitization in query builders. Finally, maintain an inventory of applications using Kysely to prioritize patching and testing.