CVE-2026-44635: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in kysely-org kysely
Kysely is a type-safe TypeScript SQL query builder. From 0.26.0 to 0.28.16, DefaultQueryCompiler.visitJSONPathLeg does not escape JSON-path metacharacters (., [, ], *, **, ?). When attacker-controlled input flows into eb.ref(col, '->$').key(input) or .at(input) — including type-safe code where the JSON column is shaped like Record<string, T> so K extends string is the inferred type — every dot becomes a path-leg separator, letting an attacker traverse from the intended key into sibling and child fields the developer never meant to expose. The result is read access (and, in update statements, write access) to JSON sub-fields outside the intended scope across MySQL, PostgreSQL ->$/->>$, and SQLite. This vulnerability is fixed in 0.28.17.
AI Analysis
Technical Summary
Kysely, a type-safe TypeScript SQL query builder, improperly limits pathname traversal in JSON-path processing within DefaultQueryCompiler.visitJSONPathLeg from versions 0.26.0 to 0.28.16. The function fails to escape JSON-path metacharacters such as ., [, ], *, **, and ?, allowing attacker-controlled input in methods like eb.ref(col, '->$').key(input) or .at(input) to traverse JSON keys beyond the intended boundaries. This leads to unauthorized read and write access to JSON sub-fields across MySQL, PostgreSQL, and SQLite databases. The vulnerability is resolved in version 0.28.17.
Potential Impact
Exploitation of this vulnerability allows an attacker to read and modify JSON sub-fields in databases that the developer did not intend to expose or alter. This can lead to unauthorized data disclosure and data integrity issues in affected applications using vulnerable versions of Kysely. The impact is limited to JSON data access within the database context and does not affect availability or other system components.
Mitigation Recommendations
Upgrade Kysely to version 0.28.17 or later, where this vulnerability is fixed. No other official remediation or temporary fixes are documented. Patch status is confirmed by the vendor advisory indicating the fix in 0.28.17.
CVE-2026-44635: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in kysely-org kysely
Description
Kysely is a type-safe TypeScript SQL query builder. From 0.26.0 to 0.28.16, DefaultQueryCompiler.visitJSONPathLeg does not escape JSON-path metacharacters (., [, ], *, **, ?). When attacker-controlled input flows into eb.ref(col, '->$').key(input) or .at(input) — including type-safe code where the JSON column is shaped like Record<string, T> so K extends string is the inferred type — every dot becomes a path-leg separator, letting an attacker traverse from the intended key into sibling and child fields the developer never meant to expose. The result is read access (and, in update statements, write access) to JSON sub-fields outside the intended scope across MySQL, PostgreSQL ->$/->>$, and SQLite. This vulnerability is fixed in 0.28.17.
CVSS v3.1
Score 7.5high
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Kysely, a type-safe TypeScript SQL query builder, improperly limits pathname traversal in JSON-path processing within DefaultQueryCompiler.visitJSONPathLeg from versions 0.26.0 to 0.28.16. The function fails to escape JSON-path metacharacters such as ., [, ], *, **, and ?, allowing attacker-controlled input in methods like eb.ref(col, '->$').key(input) or .at(input) to traverse JSON keys beyond the intended boundaries. This leads to unauthorized read and write access to JSON sub-fields across MySQL, PostgreSQL, and SQLite databases. The vulnerability is resolved in version 0.28.17.
Potential Impact
Exploitation of this vulnerability allows an attacker to read and modify JSON sub-fields in databases that the developer did not intend to expose or alter. This can lead to unauthorized data disclosure and data integrity issues in affected applications using vulnerable versions of Kysely. The impact is limited to JSON data access within the database context and does not affect availability or other system components.
Mitigation Recommendations
Upgrade Kysely to version 0.28.17 or later, where this vulnerability is fixed. No other official remediation or temporary fixes are documented. Patch status is confirmed by the vendor advisory indicating the fix in 0.28.17.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-07T15:30:10.875Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a173900e29bf47b50dc2e32
Added to database: 5/27/2026, 6:33:36 PM
Last enriched: 5/27/2026, 6:48:29 PM
Last updated: 5/27/2026, 8:08:28 PM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.