CVE-2026-32763 Overview
Kysely, a type-safe TypeScript SQL query builder, contains a SQL injection vulnerability in its JSON path compilation functionality for MySQL and SQLite dialects. Versions up to and including 0.28.11 are affected by this flaw, which allows attackers to inject arbitrary SQL through the visitJSONPathLeg() function. The vulnerability arises because user-controlled values from .key() and .at() methods are directly appended into single-quoted JSON path string literals ('$.key') without proper escaping of single quotes.
Critical Impact
Attackers can break out of the JSON path string context and inject arbitrary SQL commands, potentially leading to unauthorized data access, data manipulation, or complete database compromise in applications using Kysely with MySQL or SQLite.
Affected Products
- Kysely versions up to and including 0.28.11 using MySQL dialect
- Kysely versions up to and including 0.28.11 using SQLite dialect
- Applications utilizing Kysely's JSON path functions (.key() and .at()) with untrusted input
Discovery Timeline
- 2026-03-20 - CVE CVE-2026-32763 published to NVD
- 2026-03-20 - Last updated in NVD database
Technical Details for CVE-2026-32763
Vulnerability Analysis
The vulnerability exists in the visitJSONPathLeg() function within Kysely's query compilation logic. This function is responsible for constructing JSON path expressions used in MySQL and SQLite queries. The core issue is an inconsistency in how different types of SQL constructs are sanitized: while sanitizeIdentifier() properly doubles delimiter characters to prevent injection in identifiers, the JSON path compilation lacks equivalent protection.
When a developer uses the .key() or .at() methods to construct JSON path expressions, user-supplied values are concatenated directly into the JSON path string without escaping single quote characters. This allows an attacker to terminate the JSON path string prematurely and inject malicious SQL code into the query.
The vulnerability is classified as CWE-89 (SQL Injection), representing a failure to properly neutralize special elements used in SQL commands.
Root Cause
The root cause is improper input sanitization in the JSON path compilation process. Both JSON path strings and identifiers are non-parameterizable SQL constructs that require manual escaping. However, only identifiers received proper protection through the sanitizeIdentifier() function, which doubles delimiter characters. The visitJSONPathLeg() function failed to implement equivalent escaping for single quotes within JSON path string literals.
Attack Vector
This vulnerability is exploitable over the network by any user who can influence input values that are passed to Kysely's .key() or .at() JSON path methods. The attack requires no authentication or user interaction. An attacker can craft a malicious string containing a single quote followed by SQL commands. When this string is processed by the vulnerable JSON path compilation, the single quote terminates the legitimate JSON path string, and the subsequent SQL is interpreted as part of the query.
The exploitation mechanism involves injecting a payload such as a value containing ' followed by SQL syntax that would be executed by the database. This could enable unauthorized data extraction, data modification, or other database operations depending on the application's database permissions.
Detection Methods for CVE-2026-32763
Indicators of Compromise
- Unusual SQL query patterns in database logs containing malformed JSON path expressions
- Database error messages indicating syntax errors in JSON path operations
- Unexpected database queries originating from application code using Kysely
- Evidence of data exfiltration through SQL injection techniques in web application logs
Detection Strategies
- Monitor application dependencies for Kysely versions 0.28.11 and earlier
- Implement Web Application Firewall (WAF) rules to detect SQL injection patterns in request parameters
- Enable detailed database query logging to identify anomalous JSON path queries
- Conduct static code analysis to identify usage of .key() and .at() methods with untrusted input
Monitoring Recommendations
- Review database audit logs for queries containing unusual characters in JSON path expressions
- Set up alerts for database errors related to JSON path parsing failures
- Monitor network traffic for patterns consistent with SQL injection exploitation attempts
- Implement runtime application self-protection (RASP) to detect and block injection attacks
How to Mitigate CVE-2026-32763
Immediate Actions Required
- Upgrade Kysely to version 0.28.12 or later immediately
- Audit all application code using Kysely to identify usage of .key() and .at() methods
- Implement input validation to reject single quotes in values passed to JSON path functions
- Consider implementing additional database-level access controls to limit potential impact
Patch Information
The vulnerability has been fixed in Kysely version 0.28.12. The patch addresses the missing single quote escaping in the JSON path compilation process. For detailed information about the fix, refer to the GitHub Commit Changes and the GitHub Release v0.28.12. The security advisory is available at GitHub Security Advisory GHSA-wmrf-hv6w-mr66.
Workarounds
- Sanitize all user input before passing to .key() or .at() methods by removing or escaping single quotes
- Implement allowlists for JSON path key names if the application's use case permits
- Use parameterized queries for the broader application context to limit exploitation opportunities
- Apply database user privilege restrictions to minimize potential damage from successful exploitation
# Upgrade Kysely to the patched version
npm update kysely@0.28.12
# Or install the specific patched version
npm install kysely@^0.28.12
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
