平台
nodejs
组件
drizzle-orm
修复版本
0.45.3
1.0.1
0.45.2
CVE-2026-39356 是一个存在于 drizzle-orm 中的SQL注入漏洞,由于escapeName()方法在处理SQL标识符时未正确转义引号,导致攻击者可以注入恶意SQL代码。此漏洞可能允许攻击者绕过安全措施,访问或修改数据库中的敏感信息。受影响的版本包括drizzle-orm 0.45.2之前的版本,建议尽快升级到0.45.2以修复此问题。
An attacker exploiting this vulnerability can inject arbitrary SQL queries into the database. This could lead to unauthorized data access, modification, or deletion. Depending on the database permissions and application logic, an attacker might be able to escalate privileges, gain control of the database server, or even compromise the entire application. The potential impact is significant, especially in applications that handle sensitive data or critical business processes. Successful exploitation could result in data breaches, financial losses, and reputational damage.
This vulnerability was publicly disclosed on 2026-04-08. Currently, there are no known active exploitation campaigns targeting this specific vulnerability. No public proof-of-concept (PoC) code has been released. The vulnerability is not listed on the CISA KEV catalog at the time of this writing.
Applications built using drizzle-orm that rely on user-supplied data for constructing SQL identifiers or aliases are at risk. This includes applications that dynamically generate database queries based on user input, such as search functionality, filtering options, or data import/export features. Projects using older versions of drizzle-orm, particularly those with limited security testing or code review processes, are especially vulnerable.
• nodejs / server:
npm audit drizzle-orm• nodejs / server:
grep -r 'sql.identifier(' . --exclude-dir=node_modules• nodejs / server:
find . -name '*.js' -exec grep -H 'sql.identifier(' {} + disclosure
漏洞利用状态
EPSS
0.04% (13% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2026-39356 is to upgrade to drizzle-orm version 0.45.2 or later. If upgrading immediately is not feasible, consider implementing input validation and sanitization on any user-supplied data used in SQL identifier construction. While not a complete fix, using parameterized queries or prepared statements can help prevent SQL injection attacks. Monitor database logs for unusual activity and consider implementing a Web Application Firewall (WAF) with SQL injection protection rules.
Actualice a la versión 0.45.2 o 1.0.0-beta.20 o superior para mitigar la vulnerabilidad de inyección SQL. La actualización corrige la forma en que se manejan los identificadores SQL escapados, evitando la inyección de código malicioso. Revise su código para identificar cualquier uso de `sql.identifier()` o `.as()` con datos proporcionados por el usuario y asegúrese de que estén correctamente validados.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-39356 是 drizzle-orm 库中的SQL注入漏洞。由于标识符转义不当,攻击者可以通过构造恶意的SQL标识符来注入恶意SQL代码。
如果您正在使用 drizzle-orm 版本低于 0.45.2,则可能受到此漏洞的影响。请检查您的项目依赖项并升级到最新版本。
升级到 drizzle-orm 0.45.2 或更高版本可以修复此漏洞。请确保更新您的项目依赖项。