Vulnerability	Vulnerable Version
C SQL Injection drizzle-orm is a Drizzle ORM package for SQL databases Affected versions of this package are vulnerable to SQL Injection through the `escapeName` handling in the PostgreSQL, SQLite, and SingleStore dialects. An attacker can inject arbitrary SQL by supplying a malicious identifier to `sql.identifier()` or `sql.as()`, causing generated queries to break out of the quoted name and execute attacker-controlled SQL. This affects applications that build `SELECT`, `ORDER BY`, `INSERT`, `UPDATE`, or migration statements from untrusted table, column, or alias names. In the worst case, if the application user has write and execute privileges, this could allow code execution. How to fix SQL Injection? Upgrade `drizzle-orm` to version 1.0.0-beta.20-91f355e, 0.45.2 or higher.	>=1.0.0-beta.2-e93475f <1.0.0-beta.20-91f355e>=0.37.0 <0.45.2

SQL Injection

drizzle-orm is a Drizzle ORM package for SQL databases

Affected versions of this package are vulnerable to SQL Injection through the escapeName handling in the PostgreSQL, SQLite, and SingleStore dialects. An attacker can inject arbitrary SQL by supplying a malicious identifier to sql.identifier() or sql.as(), causing generated queries to break out of the quoted name and execute attacker-controlled SQL. This affects applications that build SELECT, ORDER BY, INSERT, UPDATE, or migration statements from untrusted table, column, or alias names. In the worst case, if the application user has write and execute privileges, this could allow code execution.

How to fix SQL Injection?

Upgrade drizzle-orm to version 1.0.0-beta.20-91f355e, 0.45.2 or higher.

>=1.0.0-beta.2-e93475f <1.0.0-beta.20-91f355e>=0.37.0 <0.45.2

Go back to all versions of this package