![[kysely] Kysely has a MySQL SQL Injection via Insufficient Backslash Escaping in `sql.lit(string)` usage or similar methods that append string literal values into the compiled SQL strings](/assets/images/github_com_1774224304454.png)
Security Advisories์ถ์ฒ: GitHub Security Advisories์กฐํ์ 1
[kysely] Kysely has a MySQL SQL Injection via Insufficient Backslash Escaping in `sql.lit(string)` usage or similar methods that append string literal values into the compiled SQL strings
By GitHub2026๋
3์ 21์ผ
**[kysely] Kysely has a MySQL SQL Injection via Insufficient Backslash Escaping in `sql.lit(string)` usage or similar methods that append string literal values into the compiled SQL strings**
Summary Kysely's DefaultQueryCompiler.sanitizeStringLiteral() only escapes single quotes by doubling them (' โ '') but does not escape backslashes. When used with the MySQL dialect (where NO_BACKSLASH_ESCAPES is OFF by default), an attacker can use a backslash to escape the trailing quote of a string literal, breaking out of the string context and injecting arbitrary SQL. This affects any code path that uses ImmediateValueTransformer to inline values โ specifically CreateIndexBuilder.where() and CreateViewBuilder.as(). Details The root cause is in DefaultQueryCompiler.sanitizeStringLiteral(): src/query-compiler/default-query-compiler.ts:1819-1821 protected sanitizeStringLiteral(value: string): string { return value.replace(LIT_WRAP_REGEX, "''") } Where LIT_WRAP_REGEX is defined as /'/g (line 121). This only doubles single quotes โ it does not escape backslash characters...
---
**[devsupporter ํด์ค]**
์ด ๊ธฐ์ฌ๋ GitHub Security Advisories์์ ์ ๊ณตํ๋ ์ต์ ๊ฐ๋ฐ ๋ํฅ์ ๋๋ค. ๊ด๋ จ ๋๊ตฌ๋ ๊ธฐ์ ์ ๋ํด ๋ ์์๋ณด์๋ ค๋ฉด ์๋ณธ ๋งํฌ๋ฅผ ์ฐธ๊ณ ํ์ธ์.
Summary Kysely's DefaultQueryCompiler.sanitizeStringLiteral() only escapes single quotes by doubling them (' โ '') but does not escape backslashes. When used with the MySQL dialect (where NO_BACKSLASH_ESCAPES is OFF by default), an attacker can use a backslash to escape the trailing quote of a string literal, breaking out of the string context and injecting arbitrary SQL. This affects any code path that uses ImmediateValueTransformer to inline values โ specifically CreateIndexBuilder.where() and CreateViewBuilder.as(). Details The root cause is in DefaultQueryCompiler.sanitizeStringLiteral(): src/query-compiler/default-query-compiler.ts:1819-1821 protected sanitizeStringLiteral(value: string): string { return value.replace(LIT_WRAP_REGEX, "''") } Where LIT_WRAP_REGEX is defined as /'/g (line 121). This only doubles single quotes โ it does not escape backslash characters...
---
**[devsupporter ํด์ค]**
์ด ๊ธฐ์ฌ๋ GitHub Security Advisories์์ ์ ๊ณตํ๋ ์ต์ ๊ฐ๋ฐ ๋ํฅ์ ๋๋ค. ๊ด๋ จ ๋๊ตฌ๋ ๊ธฐ์ ์ ๋ํด ๋ ์์๋ณด์๋ ค๋ฉด ์๋ณธ ๋งํฌ๋ฅผ ์ฐธ๊ณ ํ์ธ์.