CVE-2026-33442: Kysely has a MySQL SQL Injection via Backslash Escape Bypass in non-type-safe usage of JSON path keys.

March 20, 2026

The sanitizeStringLiteral method in Kysely’s query compiler escapes single quotes (' → '') but does not escape backslashes. On MySQL with the default BACKSLASH_ESCAPES SQL mode, an attacker can inject a backslash before a single quote to neutralize the escaping, breaking out of the JSON path string literal and injecting arbitrary SQL.

References

github.com/advisories/GHSA-fr9j-6mvq-frcv
github.com/kysely-org/kysely
github.com/kysely-org/kysely/security/advisories/GHSA-fr9j-6mvq-frcv
nvd.nist.gov/vuln/detail/CVE-2026-33442

Code Behaviors & Features

Detect and mitigate CVE-2026-33442 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →