SQL Injection via escapeName() in all Drizzle ORM SQL dialects

7.5 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Description

Drizzle is a modern TypeScript ORM. Prior to 0.45.2 and 1.0.0-beta.20, Drizzle ORM improperly escaped quoted SQL identifiers in its dialect-specific escapeName() implementations. In affected versions, embedded identifier delimiters were not escaped before the identifier was wrapped in quotes or backticks. As a result, applications that pass attacker-controlled input to APIs that construct SQL identifiers or aliases, such as sql.identifier(), .as(), may allow an attacker to terminate the quoted identifier and inject SQL. This vulnerability is fixed in 0.45.2 and 1.0.0-beta.20.

Basic Information

ID CVE-2026-39356

Source GitHub_M

Published Apr 7, 2026 at 19:58

Modified Apr 8, 2026 at 14:33

Affected Product

Vendor drizzle-team

Product drizzle-orm

Version < 0.45.2

Affected Versions drizzle-team drizzle-orm < 0.45.2
drizzle-team drizzle-orm >= 1.0.0-beta.2, < 1.0.0-beta.20

CWE Classification

CWE-89

References

github.com /drizzle-team/drizzle-orm/security/advisories/GHSA-gpj5-g38j-94v9

{
    "lastseen": "",
    "description": "Drizzle is a modern TypeScript ORM. Prior to 0.45.2 and 1.0.0-beta.20, Drizzle ORM improperly escaped quoted SQL identifiers in its dialect-specific escapeName() implementations. In affected versions, embedded identifier delimiters were not escaped before the identifier was wrapped in quotes or backticks. As a result, applications that pass attacker-controlled input to APIs that construct SQL identifiers or aliases, such as sql.identifier(), .as(), may allow an attacker to terminate the quoted identifier and inject SQL. This vulnerability is fixed in 0.45.2 and 1.0.0-beta.20.",
    "published": "2026-04-07T19:58:46.348Z",
    "modified": "2026-04-08T14:33:54.466Z",
    "type": "cve",
    "title": "SQL Injection via escapeName() in all Drizzle ORM SQL dialects",
    "source": "GitHub_M",
    "references": "https://github.com/drizzle-team/drizzle-orm/security/advisories/GHSA-gpj5-g38j-94v9",
    "id": "CVE-2026-39356",
    "bulletinFamily": "",
    "cwe": [
        "CWE-89"
    ],
    "cvelist": null,
    "sourceData": "drizzle-team drizzle-orm < 0.45.2\ndrizzle-team drizzle-orm >= 1.0.0-beta.2, < 1.0.0-beta.20",
    "sourceHref": "",
    "cvss": {
        "score": 7.5,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "drizzle-orm",
    "version": "< 0.45.2",
    "vendor": "drizzle-team",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

SQL Injection via escapeName() in all Drizzle ORM SQL dialects_CVE-2026-39356