## Drizzle ORM 0.45.2 Patches Critical SQL Injection Vulnerability in `sql.identifier()` and `sql.as()`
A critical security flaw has been patched in the widely-used Drizzle ORM library. Version 0.45.2 fixes a SQL Injection (CWE-89) vulnerability within the `sql.identifier()` and `sql.as()` functions, where values passed to these functions were not properly escaped. This vulnerability could have allowed attackers to execute arbitrary SQL commands on applications using the affected versions, potentially leading to data theft, corruption, or unauthorized access.

The vulnerability was discovered and reported by independent security researchers EthanKim88, 0x90sh, and wgoodall01, who provided a reproduction case and a suggested fix to the Drizzle team. The patch, released as part of version 0.45.2, addresses the improper escaping issue. The update is a minor version bump from 0.45.1, indicating the fix is backward-compatible but security-critical. The Drizzle team has credited the researchers publicly in the release notes.

This patch is a mandatory update for any development team or organization using Drizzle ORM in production. The vulnerability's presence in core query-building functions means the attack surface is broad, affecting any code that uses these utilities for dynamic table or column names. Failure to upgrade leaves applications exposed to a well-understood and high-severity attack vector. The swift response from the maintainers, facilitated by responsible disclosure, highlights the ongoing security pressures within the open-source software supply chain.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: security, vulnerability, sql-injection, open-source, patch
- **Credibility**: unverified
- **Published**: 2026-04-08 07:27:05
- **ID**: 54508
- **URL**: https://whisperx.ai/en/intel/54508