Kysely, JSON Path Injection, CVE-2026-32763 (Critical)

Listen to this Post

How CVE-2026-32763 works:

The vulnerability exists in Kysely’s JSON path leg compilation. When an attacker controls input passed to `.key()` or `.at()` on a JSON path builder (e.g., eb.ref(col, '->$').key(input)), the `visitJSONPathLeg` method emits a dot or bracket without validating the string. The `sanitizeStringLiteral` function only escapes single quotes ('''), leaving JSON‑path metacharacters (. `[` ] ?) untouched. Because `Record` columns cause `K` to infer string, type‑safe code also becomes vulnerable. A malicious input like `”internal.ssn”` turns the path `’$.nick’` into '$.internal.ssn', letting the database traverse into nested fields. The same applies to array indices via `.at(“]”)` to break brackets. MySQL and PostgreSQL ->$/->>$ as well as SQLite are affected. The incomplete fix (commit 0a602bf) only addressed single quotes, not the full JSON‑path grammar. Attackers can read arbitrary sub‑fields, use wildcards (,) to dump entire objects, or in `UPDATE` statements write into unauthorized nested keys. The issue is not a default behaviour but occurs whenever developer uses dynamic keys from requests.

dailycve form:

Platform: Kysely npm
Version: <=0.28.16
Vulnerability: JSON Path Injection
Severity: Critical
date: 2026-05-11

Prediction: Patch 2026-06-15

What Undercode Say:

Compile SQL injection proof
node poc.mjs
Show compiled SQL with dot traversal
echo 'SELECT profile->>"$.internal.ssn" FROM me'
Reproduce with SQLite runtime
node sqlite-runtime.mjs
Check vulnerable compiler lines
grep -n "sanitizeStringLiteral" src/query-compiler/default-query-compiler.ts
Test wildcard injection
node -e "require('kysely').sql``.compile()"

Exploit:

Attacker supplies `.key(“internal.ssn”)` to read hidden SSN. On MySQL, `.key(“”)` returns all sibling values. In UPDATE, `.key(“admin”)` with value `true` escalates privilege.

Protection from this CVE:

Upgrade to patched version (not yet available). Implement allowlist of allowed JSON keys per endpoint. Use parameterised JSON path queries (PostgreSQL jsonb_path_query($1, $2)). Reject any key containing ., [, ], ,, ?. Override `visitJSONPathLeg` to validate against regex ^[A-Za-z_$][A-Za-z0-9_$]$.

Impact:

Authorization bypass for nested JSON fields (SSNs, tokens, admin flags). Wildcard reads returning entire document. Write injection enabling privilege escalation. Bypasses previously shipped fix, leaving all 0.28.120.28.16 versions vulnerable. Affects MySQL, PostgreSQL, SQLite dialects.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top