Injection SQL via escapeName() dans tous les dialectes SQL Drizzle ORM

An attacker exploiting this vulnerability can inject arbitrary SQL queries into the database. This could lead to unauthorized data access, modification, or deletion. Depending on the database permissions and application logic, an attacker might be able to escalate privileges, gain control of the database server, or even compromise the entire application. The potential impact is significant, especially in applications that handle sensitive data or critical business processes. Successful exploitation could result in data breaches, financial losses, and reputational damage.

Applications built using drizzle-orm that rely on user-supplied data for constructing SQL identifiers or aliases are at risk. This includes applications that dynamically generate database queries based on user input, such as search functionality, filtering options, or data import/export features. Projects using older versions of drizzle-orm, particularly those with limited security testing or code review processes, are especially vulnerable.

• nodejs / server:

npm audit drizzle-orm

• nodejs / server:

grep -r 'sql.identifier(' . --exclude-dir=node_modules

• nodejs / server:

find . -name '*.js' -exec grep -H 'sql.identifier(' {} + 

1. 2026-04-08Disclosure

   disclosure

1. Réservé2026-04-06
2. Publiée2026-04-08
3. EPSS mis à jour2026-04-15

The primary mitigation for CVE-2026-39356 is to upgrade to drizzle-orm version 0.45.2 or later. If upgrading immediately is not feasible, consider implementing input validation and sanitization on any user-supplied data used in SQL identifier construction. While not a complete fix, using parameterized queries or prepared statements can help prevent SQL injection attacks. Monitor database logs for unusual activity and consider implementing a Web Application Firewall (WAF) with SQL injection protection rules.