Plattform
nodejs
Komponente
drizzle-orm
Behoben in
0.45.3
1.0.1
0.45.2
CVE-2026-39356 describes a SQL Injection vulnerability found in the drizzle-orm library. This flaw arises from improper escaping of quoted SQL identifiers, allowing attackers to inject malicious SQL code. The vulnerability impacts versions of drizzle-orm prior to 0.45.2 and can be mitigated by upgrading to the patched version.
An attacker exploiting this vulnerability can inject arbitrary SQL queries into the database. This could lead to unauthorized data access, modification, or deletion. Depending on the database permissions and application logic, an attacker might be able to escalate privileges, gain control of the database server, or even compromise the entire application. The potential impact is significant, especially in applications that handle sensitive data or critical business processes. Successful exploitation could result in data breaches, financial losses, and reputational damage.
This vulnerability was publicly disclosed on 2026-04-08. Currently, there are no known active exploitation campaigns targeting this specific vulnerability. No public proof-of-concept (PoC) code has been released. The vulnerability is not listed on the CISA KEV catalog at the time of this writing.
Applications built using drizzle-orm that rely on user-supplied data for constructing SQL identifiers or aliases are at risk. This includes applications that dynamically generate database queries based on user input, such as search functionality, filtering options, or data import/export features. Projects using older versions of drizzle-orm, particularly those with limited security testing or code review processes, are especially vulnerable.
• nodejs / server:
npm audit drizzle-orm• nodejs / server:
grep -r 'sql.identifier(' . --exclude-dir=node_modules• nodejs / server:
find . -name '*.js' -exec grep -H 'sql.identifier(' {} + disclosure
Exploit-Status
EPSS
0.04% (13% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-39356 is to upgrade to drizzle-orm version 0.45.2 or later. If upgrading immediately is not feasible, consider implementing input validation and sanitization on any user-supplied data used in SQL identifier construction. While not a complete fix, using parameterized queries or prepared statements can help prevent SQL injection attacks. Monitor database logs for unusual activity and consider implementing a Web Application Firewall (WAF) with SQL injection protection rules.
Actualice a la versión 0.45.2 o 1.0.0-beta.20 o superior para mitigar la vulnerabilidad de inyección SQL. La actualización corrige la forma en que se manejan los identificadores SQL escapados, evitando la inyección de código malicioso. Revise su código para identificar cualquier uso de `sql.identifier()` o `.as()` con datos proporcionados por el usuario y asegúrese de que estén correctamente validados.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-39356 is a SQL Injection vulnerability in the drizzle-orm library, allowing attackers to inject malicious SQL code by manipulating identifiers.
You are affected if you are using drizzle-orm versions prior to 0.45.2 and your application uses user-supplied data in SQL identifier construction.
Upgrade to drizzle-orm version 0.45.2 or later. Implement input validation and sanitization as a temporary workaround.
Currently, there are no known active exploitation campaigns targeting this vulnerability, and no public PoC code is available.
Refer to the official drizzle-orm release notes and security advisories on their GitHub repository for the most up-to-date information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.