EXECUTIVE SUMMARY:
CVE-2026-39356 with a CVSS score of 7.5 is a high-severity vulnerability affecting the npm/drizzle-orm package in versions prior to 0.45.2 and 1.0.0-beta.20. The vulnerability, which is classified as CWE-89: Improper Neutralization of Special Elements used in an SQL Command (SQL Injection), arises from the improper escaping of quoted SQL identifiers in the dialect-specific escapeName implementations. Specifically, embedded identifier delimiters were not escaped before the identifier was wrapped in quotes or backticks, allowing an attacker to terminate the quoted identifier and inject SQL by passing crafted input containing the dialect-specific identifier delimiter. An attacker can exploit this vulnerability over the network with low complexity and no required privileges, potentially gaining the capability to inject SQL and disclose sensitive data, manipulate queries, or escalate privileges. If exploited, this vulnerability can have significant business impacts, including data breaches, financial losses, and reputational damage, particularly for applications that pass untrusted runtime input into identifier or alias construction.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-39356 with a CVSS score of 7.5 is a high-severity vulnerability affecting the npm/drizzle-orm package in versions prior to 0.45.2 and 1.0.0-beta.20. The vulnerability, which is classified as CWE-89: Improper Neutralization of Special Elements used in an SQL Command (SQL Injection), arises from the improper escaping of quoted SQL identifiers in the dialect-specific escapeName implementations. Specifically, embedded identifier delimiters were not escaped before the identifier was wrapped in quotes or backticks, allowing an attacker to terminate the quoted identifier and inject SQL by passing crafted input containing the dialect-specific identifier delimiter. An attacker can exploit this vulnerability over the network with low complexity and no required privileges, potentially gaining the capability to inject SQL and disclose sensitive data, manipulate queries, or escalate privileges. If exploited, this vulnerability can have significant business impacts, including data breaches, financial losses, and reputational damage, particularly for applications that pass untrusted runtime input into identifier or alias construction.[emaillocker id="1283"]
RECOMMENDATION:
We recommend you to update npm/drizzle-orm to version 0.45.2 or 1.0.0-beta.20.
REFERENCES:
The following
reports contain further technical details:
https://github.com/advisories/GHSA-gpj5-g38j-94v9