## Drizzle ORM 0.45.2 Patches Critical SQL Injection Vulnerability (CWE-89)
A critical security vulnerability has been patched in the widely-used Drizzle ORM library. The patch, released in version 0.45.2, addresses a SQL Injection flaw (CWE-89) within the `sql.identifier()` and `sql.as()` functions. The vulnerability stemmed from improper escaping of values passed to these functions, creating a direct path for attackers to execute arbitrary SQL commands on affected databases. This type of flaw is a primary vector for data breaches, allowing unauthorized access, data manipulation, or complete system compromise.

The issue was identified and reported by external security researchers EthanKim88, 0x90sh, and wgoodall01, who provided the Drizzle team with a reproduction case and a suggested fix. The swift patch release highlights the severity of the finding and the collaborative nature of open-source security. The vulnerability was present in the previous version, 0.45.1, meaning any project using that version or earlier unpatched releases is potentially exposed until the dependency is updated.

This incident serves as a critical reminder for development teams relying on ORM libraries for database abstraction. While ORMs are designed to prevent such vulnerabilities, implementation flaws can reintroduce classic risks. Organizations using Drizzle must immediately upgrade to version 0.45.2. The disclosure underscores the persistent threat of SQL injection in modern web applications and the essential role of proactive dependency management and external security audits in the software supply chain.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: SQL Injection, CWE-89, Security Patch, Open Source Security, Supply Chain Risk
- **Credibility**: unverified
- **Published**: 2026-03-30 05:26:50
- **ID**: 40503
- **URL**: https://whisperx.ai/en/intel/40503