## Drizzle ORM 0.45.2 Patches Critical SQL Injection Vulnerability in `sql.identifier()` and `sql.as()`
A critical security vulnerability has been patched in the widely-used Drizzle ORM library. Version 0.45.2 fixes a SQL injection flaw (CWE-89) within the `sql.identifier()` and `sql.as()` functions, where passed values were not being properly escaped. This type of vulnerability could allow attackers to execute arbitrary SQL commands on affected databases, potentially leading to data theft, manipulation, or destruction.

The issue was identified and reported by external security researchers EthanKim88, 0x90sh, and wgoodall01, who provided the Drizzle team with a reproduction case and a suggested fix. The patch, commit 273c780, was released promptly following the disclosure. This incident highlights the persistent security risks within foundational software dependencies, even in popular and modern tools designed for developer safety.

For any project using Drizzle ORM, this is a mandatory, time-sensitive update. The vulnerability existed in version 0.45.1 and any prior versions using the affected functions. Development and security teams must immediately upgrade to version 0.45.2 to mitigate the risk. Failure to patch leaves applications open to a well-understood and frequently exploited attack vector, with potential cascading consequences for data integrity and application security.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: security, vulnerability, sql-injection, open-source, patch
- **Credibility**: unverified
- **Published**: 2026-03-30 14:27:25
- **ID**: 41390
- **URL**: https://whisperx.ai/en/intel/41390