CVE-2026-33442 Overview
Kysely, a popular type-safe TypeScript SQL query builder, contains a SQL Injection vulnerability in versions 0.28.12 and 0.28.13. The vulnerability exists in the sanitizeStringLiteral method within Kysely's query compiler, which fails to properly escape backslash characters. While the method correctly escapes single quotes (' → ''), the lack of backslash escaping allows attackers to inject a backslash before a single quote, effectively neutralizing the escape mechanism.
When exploited against MySQL databases configured with the default BACKSLASH_ESCAPES SQL mode, this vulnerability enables attackers to break out of JSON path string literals and inject arbitrary SQL commands, potentially leading to full database compromise.
Critical Impact
Attackers can bypass SQL injection protections in Kysely query builder to execute arbitrary SQL commands on MySQL databases, potentially leading to unauthorized data access, modification, or deletion.
Affected Products
- Kysely 0.28.12
- Kysely 0.28.13
Discovery Timeline
- 2026-03-26 - CVE-2026-33442 published to NVD
- 2026-03-26 - Last updated in NVD database
Technical Details for CVE-2026-33442
Vulnerability Analysis
This SQL Injection vulnerability (CWE-89) stems from incomplete input sanitization in the Kysely query compiler. The sanitizeStringLiteral method implements escaping logic that transforms single quotes into doubled single quotes, which is a standard SQL escaping technique. However, the implementation overlooks backslash character handling.
MySQL, by default, operates with the BACKSLASH_ESCAPES SQL mode enabled, which treats backslash as an escape character. When an attacker provides input containing a backslash followed by a single quote (\'), the backslash escapes the quote character at the MySQL level. Since Kysely's sanitization only doubles the single quote without addressing the preceding backslash, the input \' becomes \'' after sanitization. MySQL interprets this as an escaped single quote followed by a literal single quote, effectively breaking out of the string context.
This escape sequence manipulation allows attackers to terminate the intended string literal prematurely and append malicious SQL code that executes within the context of the original query.
Root Cause
The root cause lies in the incomplete character escaping implementation within the sanitizeStringLiteral method. The function addresses single quote escaping but fails to account for MySQL's default behavior of treating backslashes as escape characters. This oversight creates a character sequence that can bypass the sanitization logic when the escaped output is processed by MySQL's query parser.
Attack Vector
The attack exploits the network-accessible nature of applications using Kysely for database operations. An attacker requires no authentication or special privileges to exploit this vulnerability. By crafting malicious input containing strategically placed backslash and single quote sequences, the attacker can:
- Inject input through any application endpoint that processes user-supplied data via Kysely queries
- Use a backslash to escape the single quote that Kysely adds during sanitization
- Break out of the JSON path string literal context
- Append arbitrary SQL statements that execute with the database privileges of the application
The vulnerability specifically targets MySQL deployments using the default BACKSLASH_ESCAPES SQL mode, making it widely applicable to common MySQL configurations.
Detection Methods for CVE-2026-33442
Indicators of Compromise
- Unusual SQL query patterns in database logs containing backslash sequences followed by single quotes (\')
- Database error logs showing syntax errors in JSON path operations
- Unexpected data access or modification events in audit logs
- Application logs containing malformed or unusually long input strings with escape sequences
Detection Strategies
- Implement database query logging and analyze for anomalous patterns involving backslash-quote combinations
- Deploy Web Application Firewall (WAF) rules to detect SQL injection patterns targeting backslash escape sequences
- Monitor application input validation logs for attempts to submit strings containing \' sequences
- Use database activity monitoring (DAM) solutions to identify unexpected query structures
Monitoring Recommendations
- Enable MySQL general query log or slow query log for forensic analysis capabilities
- Configure alerting for SQL syntax errors that may indicate injection attempts
- Implement real-time monitoring of database connections for unusual query volumes or patterns
- Review application logs for input validation failures related to special character handling
How to Mitigate CVE-2026-33442
Immediate Actions Required
- Upgrade Kysely to version 0.28.14 or later, which includes the security fix for backslash escaping
- Review application code for any custom sanitization logic that may have similar backslash handling gaps
- Audit recent database activity logs for potential exploitation attempts
- Implement additional input validation at the application layer as defense-in-depth
Patch Information
Kysely version 0.28.14 addresses this vulnerability by properly escaping backslash characters in addition to single quotes within the sanitizeStringLiteral method. Organizations should update their dependencies immediately using their package manager.
For detailed information about the security fix, refer to the GitHub Security Advisory.
Workarounds
- Disable MySQL's BACKSLASH_ESCAPES SQL mode by setting sql_mode to include NO_BACKSLASH_ESCAPES, which prevents backslash from being treated as an escape character
- Implement application-level input validation to reject or sanitize backslash characters before they reach the query builder
- Use parameterized queries or prepared statements where possible as an additional layer of protection
- Deploy a WAF with SQL injection detection rules specifically configured for backslash escape bypass patterns
# MySQL configuration to disable backslash escapes (workaround)
# Add to my.cnf or my.ini configuration file
[mysqld]
sql_mode = "NO_BACKSLASH_ESCAPES,STRICT_TRANS_TABLES,NO_ENGINE_SUBSTITUTION"
# Or set dynamically (session-level)
# SET SESSION sql_mode = 'NO_BACKSLASH_ESCAPES';
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
