Kysely SQL Injection Vulnerability in JSON Path Compilation for MySQL and SQLite

A SQL injection vulnerability has been identified in Kysely, a TypeScript SQL query builder, in versions through 0.28.11. The issue arises in the JSON path compilation for MySQL and SQLite dialects, where user-controlled values from the `.key()` and `.at()` methods are appended directly into JSON path string literals without proper escaping. This allows an attacker to break out of the JSON path context and inject arbitrary SQL. The vulnerability exists because the `visitJSONPathLeg()` function fails to sanitize single quotes, creating a loophole for SQL injection. In contrast, the `sanitizeIdentifier()` function correctly escapes identifiers, leaving JSON path values unprotected.

Impact

Exploitation of this vulnerability allows for arbitrary SQL injection via unsanitized JSON path keys, potentially leading to data exfiltration or manipulation.

Reproduction

To reproduce this vulnerability, use Kysely version 0.28.11 with a MySQL or SQLite database. Create a table with a JSON column and another table for testing purposes. Then, use the Kysely query builder to select data from the JSON column while injecting malicious SQL through the unsanitized JSON path keys. The injected SQL will be executed, demonstrating the vulnerability.

Remediation

Users can upgrade to Kysely version 0.28.12 or later, where this vulnerability has been fixed.