Kysely SQL Injection Vulnerability in JSON Path Key Handling on MySQL

A SQL injection vulnerability has been identified in Kysely, a type-safe TypeScript SQL query builder, specifically in versions 0.28.12 and 0.28.13. The issue arises in the `sanitizeStringLiteral` method of Kysely's query compiler, which improperly escapes backslashes while correctly handling single quotes. This flaw can be exploited on MySQL databases with the default `BACKSLASH_ESCAPES` SQL mode. By injecting a backslash before a single quote, an attacker can disrupt the escaping mechanism, escape out of a JSON path string literal, and inject arbitrary SQL. The vulnerability is present in any application using Kysely with MySQL that passes user-controlled input to JSON path builder methods, such as `.key()` or `.at()`.

Impact

Exploitation of this vulnerability allows for arbitrary SQL injection into queries executed against MySQL databases, with potential for data exfiltration, unauthorized data modification or deletion, and in some cases, full database compromise depending on MySQL user privileges.

Reproduction

To reproduce this vulnerability, use Kysely version 0.28.12 or 0.28.13 with the MySQL dialect. Inject a backslash followed by a single quote into the `.key()` method of a JSON path builder. The injected backslash will be interpreted as an escape character, allowing the injection of arbitrary SQL into the query.

Remediation

Users can upgrade to Kysely version 0.28.14 or later, where this vulnerability has been fixed. Alternatively, for those using the MySQL dialect, the `sanitizeStringLiteral` method can be overridden to properly escape backslashes in addition to single quotes.