Kysely JSON-Path Traversal Vulnerability Allowing Unauthorized Data Access

A vulnerability in Kysely, a TypeScript SQL query builder, allows for unauthorized traversal of JSON-path keys in versions 0.26.0 prior to 0.28.16. The issue arises because the DefaultQueryCompiler.visitJSONPathLeg method fails to properly escape JSON-path metacharacters. This flaw enables an attacker to manipulate JSON-path queries and access sensitive data stored in JSON sub-fields that should remain private. The vulnerability is present in MySQL, PostgreSQL, and SQLite dialects.

Impact

Exploitation of this vulnerability bypasses intended access controls on JSON sub-fields, allowing unauthorized read access to sensitive data such as internal tokens and admin flags. In MySQL and PostgreSQL, the vulnerability also permits wildcard reads, exacerbating the data exposure. Additionally, in update statements, the vulnerability could be exploited to write into nested fields that should not be accessible, such as altering an admin flag.

Reproduction

The vulnerability can be reproduced by using Kysely version 0.28.16 and sending attacker-controlled input into the JSON-path key or at methods, particularly when the JSON column is typed as Record<string, T>. This can be done through a Kysely query that selects JSON data, using the vulnerable JSON-path handling to access unintended fields.

Remediation

Users can upgrade to Kysely version 0.28.17 or later, where this vulnerability has been fixed.